umbral | hxxps://gofile[.]io/d/FAdHjT

Analysis

max time kernel
131s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-01-2025 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/FAdHjT

Score

10^/10

umbral defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ac4f-108.dat	family_umbral
behavioral1/memory/1624-141-0x00000276312A0000-0x0000027631322000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
4620	powershell.exe
232	powershell.exe
3544	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	OPSECTECH.exe

Executes dropped EXE 1 IoCs

pid	Process
1624	OPSECTECH.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	discord.com
2	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OPSECTECH.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3184	cmd.exe
2944	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4040	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801670491823551"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OPSECTECH.exe:Zone.Identifier	chrome.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\7y3DY.scr\:Zone.Identifier:$DATA	OPSECTECH.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2944	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
1624	OPSECTECH.exe
1624	OPSECTECH.exe
1044	powershell.exe
1044	powershell.exe
1044	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
3544	powershell.exe
3544	powershell.exe
3544	powershell.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 3464	3476	chrome.exe	78
PID 3476 wrote to memory of 3464	3476	chrome.exe	78
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 3508	3476	chrome.exe	79
PID 3476 wrote to memory of 4584	3476	chrome.exe	80
PID 3476 wrote to memory of 4584	3476	chrome.exe	80
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81
PID 3476 wrote to memory of 4576	3476	chrome.exe	81

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1912	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/FAdHjT
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0e07cc40,0x7ffe0e07cc4c,0x7ffe0e07cc58
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4420,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3364,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3316,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4304 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5052,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5080,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5220,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2524
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5044
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\OPSECTECH.exe"
    3⤵
    - Views/modifies file attributes
    PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\OPSECTECH.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2268
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2452
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3544
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4040
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\OPSECTECH.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3184
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=996,i,3034400553882791244,11422673296857670154,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4720

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
70805618c6d79e68ec13de5583626979

SHA1
d22ba7721a6fffb179a6b925d4599e4598440ab3

SHA256
b2c081963109f696417ea6ad0efd6409dbd6e58a44d42a979776a6163252f546

SHA512
a1f3bcee24f2912cba8fc7595da5632079c53a4620dc5d4c6737e307436634bf1e186a5d15fb975e59809f73e6aed44fee0d624e708fe0a102dfa4162f7dca60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
bfbf8981125acf95b14882c8cddf5a47

SHA1
c0644f5d10877c6131c68126c0056d36b3498faa

SHA256
3bcd6740a2dd27d08748711a4da5d276a6ee18babe7894907a4d0b184dbd3155

SHA512
ca93dbfedfd91ae17e4ed5e3d63f5e5010284b30092e06cff66c8cdbf8d6366613372e0147e5732860bf0e7c6e87dafb5700ba1db6e8fb36e3b1fe6b953a978e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
4cef9c8d45581d581c05daf1dc5a62eb

SHA1
c61568f5e342348fe1200068878879f8e01069ba

SHA256
129eb8ffa84e2eedc82b2bfe3e142804900c724964be2a5004a4a6e5275a8f8c

SHA512
6bf9446dedcbdf28b5186778da823583895cae99fdcc97301a618b743044d05c20928d27eaf16a29cd08d57397cba73a904e201f4c1763ee965ec2418d1c337a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d304014f82d6bb6d62618473e0d660c6

SHA1
f2e6900dbbfb6b0eb2206b41258dcc55d548d555

SHA256
a79376ef02a20ef5910e5e904da8e217af7d099870a6fa9f899ffb1980e86a16

SHA512
100155151feba9e02b8ae52ad03953e6577ee1c8548ace5066b4bdbaa3e253670e9c969466e25d4158129ecc1862a87d6af6f505e79b970537259357917c0f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
686B

MD5
ea97d51614e4292d07b43064d74debc1

SHA1
12480995224681c2b7af706d151e5edd3abef1f9

SHA256
7c1c6120f647ace31d778ae0010513296445a7125199581587477408deaa7aef

SHA512
f6eb9e563e5fab4f81ac600e4de0a615e4270f1d9fafc340dca5c08c4ebd3ae9bf9a3cd70ae6c7d69c3454fb647bceb31aa056b633dc5ecabb1c55aa91cef136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
361999d2622e0908c88d43decdc865fd

SHA1
5f7b098b111eebe6320ecce9d60dbc348db96892

SHA256
aee471307cf8f55ea3a795facc8b01456143269ab51333d43c130782f551bd5d

SHA512
0eba18f784f60442347d53fbcacee535572d66aed51c753e0f8b32a9df135791ee424eee5f0b9c58edb8c26a92e40f7dec329e441992b88a5454e4d6112e2bbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62c50213e79a6722bd12893cc08de746

SHA1
26aecad798ae19e49c366a6381c157528c5658a3

SHA256
aec8aedd5d7de10ea93c47d5fd43072df25ab04af5198d37056bd737094a0d99

SHA512
604ee9b17fe24f02eda4b40b2ed93b2ebf6041a9e8731f907cee0dc12317a9f33723c8573fe506c8c1b8bcda2a474b4712b5dbfddfd1e4b26841b2472c2e074d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd3c70ee9a8e8d9426d3e47eeaa44671

SHA1
6bc02c52ef7f251a8c94e081e2e4d43a19187b04

SHA256
12cff16efdba291cf68d57a5bcf039274f9304db2a7d1b30928b350e4739dfaf

SHA512
cee37eeb82229e979762af36c06a595811cf806438ff851f73568c3d5361c5bc29bfd6b39b303acf285f05459edb01fa65f449e2b66cc35a1d5821d9e847f21d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fae0f8c67461964ef7001642baa1474e

SHA1
0808d4a52a549194d491b7d2c3b2aef1ce811a2f

SHA256
807e34694fe3ca64900355b49b6488d1d09e63dbd830ea23eca22cf2f2c6f71b

SHA512
a69fb80b38516f85fb14d3df292280e260f0899f8c8ed74a7aa65db81399b3e02efe322332d614abf64d15a56e078fa32cd3525a038bdbf1f4d3ee05ca58702f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb32f95574bf810e0923b7ac667e41d0

SHA1
99291318db29a7203ad2064f56af292435c89cb2

SHA256
e94f23bfd426a5a1479c168f703cff345091b80413b148763689b1d83a423d7e

SHA512
89b575f6010a8d251c0c9a5f9f0746ee761bec7574cd2c86f4ee0f1588a9e5841f68b415e28c25450e11be63eb26081546a8f3c65d10e8a3e2a7b1dfe0e3d38c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a76082e329f02249ba6cac9cdc29c79b

SHA1
95ee1fd158bbaacb23a62244b96b9d3a7e3cb67f

SHA256
2b5e6c10d90bb11325b6270d28b68144e9e468d92cf617d8d99d04801af2c0a2

SHA512
ad9009bace5d68bba339b91c84ecc886eab3f24f3d0665ec2e5c2089796b84f3dc48b051696186383834dd5f31f37b770e18b1b1f3958237c0848020d8780220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b4ebdab260c8e3e71d568e8e0b9276e

SHA1
0a56f0ba6c9f83e43c959f0f86003a0c343c8ef7

SHA256
4cbcc32f611240ccc3168d37785beefe54a2fcec9f8039f4b57544b5777ae7a4

SHA512
668bd6cc064906b3a89fff5cfe085437476ba56e64449460a8869c8f7544b8aa914c1c77398a125b08dd6c61dbdffa1c79f908713112a23fb7b0ba502ccb4076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f01df20e0fe6bbca1fa2ee7809255461

SHA1
3fe1a4474baaf75b81b6e22f2f32ec572b90ac41

SHA256
7c42a046d0636ac77be8fe3eda6e7d6fa9cd1861ce39b1578db40e48ef91c016

SHA512
9ca89b9ecacc95080ec9360f7a1bba259af37e67dd2a036431c5497dffa9b068100cd1b5795789dea6d9dce44ed758138bc3bc945420815557fd42d8963fb365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a2c5bf7dd624c96b17720b9e7f5b6ba

SHA1
503a521968407c5d1ebd9be4ebc40c3d9926e567

SHA256
490c823765701f4324c779cf78c98036fabd0b6938bdf9d10115aad469b02e58

SHA512
ff700490238e52cc39311a291baec5a0cea6a2f84c970708ffdb3d7bf06fc7c155a96421f182d943b57b6f2036fc8437f2c968320f6ce749b4fadfcedb693eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
a71ed330ff9afd455753ba44820430fd

SHA1
66718415b0fa8314521be4e6802a3a4df82e20be

SHA256
f3d00f1b6d81ef89d63f1910e057dd1582df53a8929d46495dfa1d869289f728

SHA512
a7ff7efbd631079939a46c80bd819163114dd24b009d7b53ab0a4ab8bfb0e45e636e30c6cb71ef3101db893d04868423e9934831d9f80a5b38238f5794a964ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
e6b6126981de70afff1da3045897664d

SHA1
fc70f26873adfba8240127ce0d331760af6ad66b

SHA256
b456a577d0f1504d9f09c30b3b386a03a6349507a95bd5c0457cb83705774a52

SHA512
138f0b0e7b6fe6ca64748e720bade1a07af787df3bc2c23ff6e34c7fe9cfac0ec0b0ac4cd1fb3d3d9294c6912d39e1e27797ba9506a1a0d8906fe91406f106e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d80c90c20d0f5c8f07229716f2beffef

SHA1
42dcd92a3a1059e5e559e1cd110ec98a3ac45e3e

SHA256
5ba478485882ee7c7aa928af8c98e7754e876887e00a0c69520d20bd4926e7f6

SHA512
d6a4b14a52154db7c5af19e60910774d61704e7a6243ba5f73e11f7b692ea75840730e04eaccb59387021edf57506e0c2999e4237e8d921a01053eb4a3274ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
991e8f3bdc04acca98024f7311752070

SHA1
76005ee90a2772414bc7231d6192a942dde9d499

SHA256
788799ff1be9e0abccbadc1d574ed7f36e7bc6833d942b5c177ed4e50c6dae44

SHA512
b7ecfcc910ecf00694e1b65ff4aa34caeb8f05db2aa10ca032885d1262efe74dee874abaa1399297144259f3ce2a7e48301c79477c51c5369c5911742c4fc326

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f6224b9f-266f-4c56-8c44-83369b4b76c0.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mu2dyh2y.jau.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\OPSECTECH.exe:Zone.Identifier

Filesize
156B

MD5
0c9daa5b5a9c0a200cbce3cdc108455d

SHA1
83641706406379b13bd20254eaafd93888eba6fe

SHA256
af9982a3491dd1b59c4abca60c8586b275c1b25a8d5dbd327ea4ba258d33de3d

SHA512
7c1bed0d9786c77f4ab3638dfba9423ed3a3e8b46cb0c1e7246d5c92a68890240738172d5e57e1d18435041d7c127d644dab7e1920dee899b6269821930831dc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 841627.crdownload

Filesize
491KB

MD5
1a8d19faa4ff9eb5b69ee77b3a267818

SHA1
c2b4c7fdd891f4c7eef6d48d530bc7d0fee2b70b

SHA256
4975012fe58168b1b6f479b52be3c3c2a197c46448178bdefcbc9553aff37abf

SHA512
8f1e3a8c3747cd34b561350d915d405678a8015bf4ff7a468f4fb568d80fe14f47e40a4ab77e7193b041b575557e7073e1403d12c02c7e6932ab71bbc5e41367

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1044-151-0x0000028475990000-0x00000284759B2000-memory.dmp

Filesize
136KB

Download
memory/1624-213-0x000002764BB30000-0x000002764BB42000-memory.dmp

Filesize
72KB

Download
memory/1624-212-0x000002764BA50000-0x000002764BA5A000-memory.dmp

Filesize
40KB

Download
memory/1624-141-0x00000276312A0000-0x0000027631322000-memory.dmp

Filesize
520KB

Download
memory/1624-178-0x000002764BBD0000-0x000002764BC20000-memory.dmp

Filesize
320KB

Download
memory/1624-177-0x000002764BAB0000-0x000002764BB26000-memory.dmp

Filesize
472KB

Download
memory/1624-181-0x000002764BA80000-0x000002764BA9E000-memory.dmp

Filesize
120KB

Download