umbral | 2f62506fbd6dbca8a941cbf5632305aef1508f0b95e89a281d5c5ab0298381a8

Analysis

max time kernel
6s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
13-08-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CODE STEALER.exe
Size

7.3MB
MD5

1d07c9e8178116ebbb44fc17d1d759a6
SHA1

5581b932910066fad920a8e1349dd139c04fe36f
SHA256

2f62506fbd6dbca8a941cbf5632305aef1508f0b95e89a281d5c5ab0298381a8
SHA512

7d9c2bd01434e817812fa3fb64c0ee2a8603fc2bd6757d991d21acfef693b0ea74c6afb904c5c1ccaa88c27f828a24f32e7de0056bcac1dbf462a353b833d526
SSDEEP

98304:ansmtk2awfcMGnSt8JDkfcMGnStVsCBbKZYzsH/ErMDu8yrnj7S9N9A474uwWaVE:ULkW8JDlWKsWZgkIo74j7yzEZhaZLV

Score

10^/10

umbral xred backdoor defense_evasion discovery execution persistence stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

umbral

https://discord.com/api/webhooks/1271910498107129856/6QtgJK8NkWoaobhUacej3NEYw3eYaasAKEEehxN04UR57cdaVkLvywYwnoPhZkUSYxdW

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/memory/2244-300-0x000002A327470000-0x000002A3274B0000-memory.dmp	family_umbral
behavioral1/files/0x0007000000023413-362.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
3204	powershell.exe
2168	powershell.exe
400	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Umbral.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Cr@ck tool pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Umbral.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Cr@ck tool pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	._cache_Cr@ck tool pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CODE STEALER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	._cache_CODE STEALER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 16 IoCs

pid	Process
4560	._cache_CODE STEALER.exe
2596	Umbral.exe
5028	Synaptics.exe
2008	Cr@ck tool pro.exe
4420	._cache_Cr@ck tool pro.exe
3800	._cache_Synaptics.exe
1536	._cache_Umbral.exe
4864	Synaptics.exe
5020	svchost.exe
2244	._cache_Umbral.exe
4716	svchost.exe
964	LocalkruiCzHbfZ.exe
3096	Umbral.exe
2868	Cr@ck tool pro.exe
1064	LocalxjFcltPSoC..exe
4556	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
4864	Synaptics.exe
4864	Synaptics.exe
3096	Umbral.exe
3096	Umbral.exe
2868	Cr@ck tool pro.exe
2868	Cr@ck tool pro.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	CODE STEALER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Cr@ck tool pro.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	discord.com
53	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	._cache_Umbral.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Umbral.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Umbral.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_CODE STEALER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cr@ck tool pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Umbral.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CODE STEALER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cr@ck tool pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1688	cmd.exe
4680	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4440	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	LocalxjFcltPSoC..exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	LocalxjFcltPSoC..exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	LocalxjFcltPSoC..exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Umbral.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Cr@ck tool pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CODE STEALER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Umbral.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Cr@ck tool pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4680	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
396	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2244	._cache_Umbral.exe
Token: SeDebugPrivilege	1248	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
396	EXCEL.EXE
396	EXCEL.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4560	4452	CODE STEALER.exe	88
PID 4452 wrote to memory of 4560	4452	CODE STEALER.exe	88
PID 4452 wrote to memory of 4560	4452	CODE STEALER.exe	88
PID 4560 wrote to memory of 2204	4560	._cache_CODE STEALER.exe	89
PID 4560 wrote to memory of 2204	4560	._cache_CODE STEALER.exe	89
PID 4560 wrote to memory of 2204	4560	._cache_CODE STEALER.exe	89
PID 4560 wrote to memory of 2596	4560	._cache_CODE STEALER.exe	91
PID 4560 wrote to memory of 2596	4560	._cache_CODE STEALER.exe	91
PID 4560 wrote to memory of 2596	4560	._cache_CODE STEALER.exe	91
PID 4452 wrote to memory of 5028	4452	CODE STEALER.exe	92
PID 4452 wrote to memory of 5028	4452	CODE STEALER.exe	92
PID 4452 wrote to memory of 5028	4452	CODE STEALER.exe	92
PID 4560 wrote to memory of 2008	4560	._cache_CODE STEALER.exe	93
PID 4560 wrote to memory of 2008	4560	._cache_CODE STEALER.exe	93
PID 4560 wrote to memory of 2008	4560	._cache_CODE STEALER.exe	93
PID 2008 wrote to memory of 4420	2008	Cr@ck tool pro.exe	94
PID 2008 wrote to memory of 4420	2008	Cr@ck tool pro.exe	94
PID 5028 wrote to memory of 3800	5028	Synaptics.exe	95
PID 5028 wrote to memory of 3800	5028	Synaptics.exe	95
PID 5028 wrote to memory of 3800	5028	Synaptics.exe	95
PID 2596 wrote to memory of 1536	2596	Umbral.exe	96
PID 2596 wrote to memory of 1536	2596	Umbral.exe	96
PID 2596 wrote to memory of 1536	2596	Umbral.exe	96
PID 2008 wrote to memory of 4864	2008	Cr@ck tool pro.exe	97
PID 2008 wrote to memory of 4864	2008	Cr@ck tool pro.exe	97
PID 2008 wrote to memory of 4864	2008	Cr@ck tool pro.exe	97
PID 1536 wrote to memory of 5020	1536	._cache_Umbral.exe	98
PID 1536 wrote to memory of 5020	1536	._cache_Umbral.exe	98
PID 1536 wrote to memory of 5020	1536	._cache_Umbral.exe	98
PID 5020 wrote to memory of 2244	5020	svchost.exe	99
PID 5020 wrote to memory of 2244	5020	svchost.exe	99
PID 3800 wrote to memory of 1248	3800	._cache_Synaptics.exe	102
PID 3800 wrote to memory of 1248	3800	._cache_Synaptics.exe	102
PID 3800 wrote to memory of 1248	3800	._cache_Synaptics.exe	102
PID 4420 wrote to memory of 964	4420	._cache_Cr@ck tool pro.exe	104
PID 4420 wrote to memory of 964	4420	._cache_Cr@ck tool pro.exe	104
PID 3800 wrote to memory of 3096	3800	._cache_Synaptics.exe	105
PID 3800 wrote to memory of 3096	3800	._cache_Synaptics.exe	105
PID 3800 wrote to memory of 3096	3800	._cache_Synaptics.exe	105
PID 3800 wrote to memory of 2868	3800	._cache_Synaptics.exe	106
PID 3800 wrote to memory of 2868	3800	._cache_Synaptics.exe	106
PID 3800 wrote to memory of 2868	3800	._cache_Synaptics.exe	106
PID 4420 wrote to memory of 1064	4420	._cache_Cr@ck tool pro.exe	107
PID 4420 wrote to memory of 1064	4420	._cache_Cr@ck tool pro.exe	107
PID 4864 wrote to memory of 4556	4864	Synaptics.exe	108
PID 4864 wrote to memory of 4556	4864	Synaptics.exe	108
PID 4864 wrote to memory of 4556	4864	Synaptics.exe	108
PID 4556 wrote to memory of 5108	4556	._cache_Synaptics.exe	110
PID 4556 wrote to memory of 5108	4556	._cache_Synaptics.exe	110
PID 4556 wrote to memory of 5108	4556	._cache_Synaptics.exe	110

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4888	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CODE STEALER.exe
"C:\Users\Admin\AppData\Local\Temp\CODE STEALER.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\._cache_CODE STEALER.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_CODE STEALER.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAcgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AdQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAYQB4ACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Users\Admin\AppData\Local\Umbral.exe
    "C:\Users\Admin\AppData\Local\Umbral.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3912
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:512
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:1216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:4428
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:4440
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4680
- - C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe
    "C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\LocalkruiCzHbfZ.exe
        
        "C:\Users\Admin\AppData\LocalkruiCzHbfZ.exe"
        5⤵
        Executes dropped EXE
        
        PID:964
    - - C:\Users\Admin\AppData\LocalxjFcltPSoC..exe
        
        "C:\Users\Admin\AppData\LocalxjFcltPSoC..exe"
        5⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:1064
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAcgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AdQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAYQB4ACMAPgA="
        6⤵
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Umbral.exe"
        6⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe"
        7⤵
        
        PID:872
      - C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe
        
        "C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe"
        6⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe"
        7⤵
        
        PID:1568
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAcgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AdQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAYQB4ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1248
  - - C:\Users\Admin\AppData\Local\Umbral.exe
      "C:\Users\Admin\AppData\Local\Umbral.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe"
        5⤵
        
        PID:4216
  - - C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe
      "C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe"
        5⤵
        
        PID:4804

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.3MB

MD5
1d07c9e8178116ebbb44fc17d1d759a6

SHA1
5581b932910066fad920a8e1349dd139c04fe36f

SHA256
2f62506fbd6dbca8a941cbf5632305aef1508f0b95e89a281d5c5ab0298381a8

SHA512
7d9c2bd01434e817812fa3fb64c0ee2a8603fc2bd6757d991d21acfef693b0ea74c6afb904c5c1ccaa88c27f828a24f32e7de0056bcac1dbf462a353b833d526

Download Submit
C:\Users\Admin\AppData\Local\Cr@ck tool pro.exe

Filesize
5.4MB

MD5
73ef361828eaddf64c6d14429ce12645

SHA1
fa3437df1b7e0016b9bee5af2d6e04a1ad416fdc

SHA256
d906273fe6cbc6db708b30f567ea499c52544f5eec79ebd1de35c4923397e731

SHA512
bf76b0c6b3733016d5901aadb5ee74bac8d5f1caa0887378f4486d1ed064482477da7e664e31007d9b3e3e2e1a801cd5736101f22569e1267df8021204769c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\._cache_Cr@ck tool pro.exe.log

Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\._cache_Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b3177f6579e14cef0339395bf8575911

SHA1
99aa625c95eb2e6142428c00d7642c8aa6bc6db9

SHA256
8440a0c6fe25f7032c9c2335ed3fea679faf9811098c244b53bf69ec005bdece

SHA512
12ea4300336313589624075dc82926d38a8cd43832aee03a3b53dc2cf392459601ce3a02034ab0534422009cb1496bfff505b84b59f8401ea111989a6f839855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
479fcf0c1bbd46c23e68cd630d7066e3

SHA1
25ea40d6ef91dc09fc304d070fd6181a25b8bba0

SHA256
207fd90b8e0e342110849b7827515cd692f015ba3e247bb7c07d6841a6e7cceb

SHA512
676e19353e02fc42d442eca32ac65924b54cb922ef6d0c385f77a9ab50a5f9c2a3b956a3b4e9a0a603df0d6d83146d3b5b98ba7629e01ec55d8e6d0a7f5e08bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
929c856a9f5f4fd187b9b324e39be583

SHA1
b5d74d5b632f2b0d892c0b763f7f9c36f8677fec

SHA256
67fc49d5d72ee25add82821193e326f1109d7b88189560492686a8f9d8b6c97e

SHA512
5746885b047af646bee26dc965c2fea100c395b2cc89a868af5d5858dd273497c3ea2f567c11439a84502cceea001a661352b8d0873c2cf09b1697c583fc61dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3b6c37e9cc9ecb91b8eb8cb3756fd33b

SHA1
b97c6294d2778c9065589db0e4633708054b3b2a

SHA256
e33fd17d0eeaf4af9af8f4b0400ff3a9036e5b915b3ec2d0a2685b260929e09e

SHA512
ab8c8fb2766e4dfa96b662d27aca35817d39679ec13cbe4e3fd5c575325f33fc821f9b0c6f3026d4c0c762b7aada2fd80e506b22ba0d0df504e58c0c07eeebe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_CODE STEALER.exe

Filesize
6.5MB

MD5
080645f772e7df42195f960aeb065d0d

SHA1
153d4f0f7688d056cb2843909fef9afd1e41878d

SHA256
8c100d2883d67de1c6a37deb08ab673b2900c1804c4350df8f7c9832824bc0c9

SHA512
a32e4b25d455d738c3b57755b59374ecf2a6199cf967c526bb73f31f1f91110969e509d44dccc35c4e275aa04873d8682dfd3ad43b626e857d9fd6610f572ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Cr@ck tool pro.exe

Filesize
4.7MB

MD5
1411e082c0aeffd915d371b2fbee1682

SHA1
00de4b0cf8892be0089b1ea4d132305fb5cce878

SHA256
01dfd0c323936653e13e1d265c6a14dae14cdd7339f03e684bf813cfbb5f61e5

SHA512
0cab0d5776494b5acebd52d3afbfba049eec0715ddcc37683ba94d3bc001975e760fb63fd52a6fcaa4b8469b8474857c5fb66370c273b302bbcd450e1e8c4fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe

Filesize
265KB

MD5
8ab3fbc8ff5cd8f082d0c5cfeb16211a

SHA1
05ef4f0fef59c8110b9af86f5ac0f1fb8ca1365c

SHA256
f587fa3189b532e3a4c203b93eae9dd0c7f7a735a806830cd00d29eb97cf2c87

SHA512
db19e3944330123650f73f82fd15a1a079b514415f30e80a1ffb14f37fd3ef528f2967a2b34032d6d08a376a3a2fd3a7162711deb47b6301434750bb1fa2020c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Umbral.exe

Filesize
229KB

MD5
06b38b4286ab07b09e34030a13893cf8

SHA1
1741b0fec5104f2237c84f86e400b34ee457f510

SHA256
426f84b164f029d25bd87377d930c1532dd9fb1f490f0ddb2906f2c8006a2f8f

SHA512
e752bfa062a46682209dc8d5685b583a523af9a594ed92cb1ce97fda652ded92cffa032b1b69110ca04d7f52a7532aaa3011facfdd90baaeec91515424573df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5975E00

Filesize
22KB

MD5
b3a09a54a7394c232a4206073829abfa

SHA1
160f2e1301dc72a6108cdf7417cd8edaeddb3e42

SHA256
80028ad8ed55ac06cdb89ff69da914698465267a820256234041514524d5d766

SHA512
772d670a51fbb6f7b2be69dafd137b1fd4363116d705aca03ff0ba6f653a9a0675ba55d3dc883c0f62e70339dbdf32b3f9e691dba4815637e54c36f7c5314818

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ef53eaa.c0k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\komMH1us.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
1010KB

MD5
a111044ebfca2a48fa61811a280b74fd

SHA1
00706bb947841d2da94194c90e80c44295fdee63

SHA256
64d48211d390d081d91fdb003e052ec27ad6aece4ed83b8a29aa176bca95db89

SHA512
fea549d9444d709564ce4f2481ffbe02c52feff0285a39ba2f7b420d2de67c9def7ad8e28753819cf3a43b2ec2af5c9694f2580027863a3e2ceb9767ce7c0ac0

Download Submit
C:\Users\Admin\AppData\LocalkruiCzHbfZ.exe

Filesize
2.5MB

MD5
64f8d3c28c9199f8e5bd467ca4fd7d60

SHA1
dd5d5f40e0e279d43fd15c0f4b38694d2323b18b

SHA256
5bb9b7ecf73bb2def4a58fedf4d0f4d338e952a3ff94657fc6d92b6c5d51b4c8

SHA512
43229997f2a919309ec9e057a3be15c89972a8314ddaf8a12eaee0a26619546dfe2684547d8c05d7403600698620258093c9a96a34088bb3d53d58663481aad9

Download Submit
C:\Users\Admin\AppData\LocalxjFcltPSoC..exe

Filesize
2.0MB

MD5
b850349b9cda341dbda6b3f802404a6d

SHA1
d5e59a691890513d09ec1f10fbbdf3736dafa86b

SHA256
7e8be2d052b9e63b3828381447cf49bd4af8ad4c8c873f85eaf565c8e905f9da

SHA512
360e6a9fee7710e4a3ac1a382d222b8cb8311ee27d03d62592b936da718c7fc2f06802fa7709ae5e2ed49c5e8d0f9d1949e1070d8f2f441794ad2b7e2ff0cf75

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/396-360-0x00007FF7DB8F0000-0x00007FF7DB900000-memory.dmp

Filesize
64KB

Download
memory/396-337-0x00007FF7DDF50000-0x00007FF7DDF60000-memory.dmp

Filesize
64KB

Download
memory/396-313-0x00007FF7DDF50000-0x00007FF7DDF60000-memory.dmp

Filesize
64KB

Download
memory/396-312-0x00007FF7DDF50000-0x00007FF7DDF60000-memory.dmp

Filesize
64KB

Download
memory/396-310-0x00007FF7DDF50000-0x00007FF7DDF60000-memory.dmp

Filesize
64KB

Download
memory/396-367-0x00007FF7DB8F0000-0x00007FF7DB900000-memory.dmp

Filesize
64KB

Download
memory/396-311-0x00007FF7DDF50000-0x00007FF7DDF60000-memory.dmp

Filesize
64KB

Download
memory/1064-366-0x000001D26E0C0000-0x000001D26E2C0000-memory.dmp

Filesize
2.0MB

Download
memory/1064-401-0x000001D271A20000-0x000001D271A5C000-memory.dmp

Filesize
240KB

Download
memory/1064-368-0x000001D26FE40000-0x000001D26FE52000-memory.dmp

Filesize
72KB

Download
memory/1064-369-0x000001D2708F0000-0x000001D270B02000-memory.dmp

Filesize
2.1MB

Download
memory/1248-450-0x0000000073450000-0x000000007349C000-memory.dmp

Filesize
304KB

Download
memory/2008-288-0x0000000000400000-0x0000000000974000-memory.dmp

Filesize
5.5MB

Download
memory/2204-462-0x0000000007A10000-0x0000000007A24000-memory.dmp

Filesize
80KB

Download
memory/2204-448-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/2204-251-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/2204-302-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/2204-250-0x0000000004ED0000-0x0000000004F06000-memory.dmp

Filesize
216KB

Download
memory/2204-301-0x00000000054B0000-0x00000000054D2000-memory.dmp

Filesize
136KB

Download
memory/2204-303-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/2204-372-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/2204-415-0x0000000073450000-0x000000007349C000-memory.dmp

Filesize
304KB

Download
memory/2204-414-0x0000000007630000-0x0000000007662000-memory.dmp

Filesize
200KB

Download
memory/2204-426-0x0000000007670000-0x0000000007713000-memory.dmp

Filesize
652KB

Download
memory/2204-425-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/2204-428-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/2204-427-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/2204-429-0x0000000007830000-0x000000000783A000-memory.dmp

Filesize
40KB

Download
memory/2204-373-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/2204-449-0x00000000079C0000-0x00000000079D1000-memory.dmp

Filesize
68KB

Download
memory/2204-465-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/2204-461-0x0000000007A00000-0x0000000007A0E000-memory.dmp

Filesize
56KB

Download
memory/2204-329-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-463-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/2244-539-0x000002A327930000-0x000002A32794E000-memory.dmp

Filesize
120KB

Download
memory/2244-576-0x000002A3292C0000-0x000002A3292D2000-memory.dmp

Filesize
72KB

Download
memory/2244-575-0x000002A329290000-0x000002A32929A000-memory.dmp

Filesize
40KB

Download
memory/2244-538-0x000002A329230000-0x000002A329280000-memory.dmp

Filesize
320KB

Download
memory/2244-537-0x000002A3419C0000-0x000002A341A36000-memory.dmp

Filesize
472KB

Download
memory/2244-300-0x000002A327470000-0x000002A3274B0000-memory.dmp

Filesize
256KB

Download
memory/2596-285-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2856-477-0x0000022CAA750000-0x0000022CAA772000-memory.dmp

Filesize
136KB

Download
memory/2868-395-0x0000000000400000-0x0000000000974000-memory.dmp

Filesize
5.5MB

Download
memory/2964-413-0x0000000000400000-0x0000000000974000-memory.dmp

Filesize
5.5MB

Download
memory/3096-376-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4420-269-0x0000000000D10000-0x00000000011CE000-memory.dmp

Filesize
4.7MB

Download
memory/4452-0-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4452-123-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4716-523-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4716-598-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4728-411-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4864-522-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/5020-304-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5028-521-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/5028-596-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/5108-464-0x0000000073450000-0x000000007349C000-memory.dmp

Filesize
304KB

Download