umbral | 28163caef95204c2ab19d97d52978de33323d65196bd2056c6dc06e15f755eba

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dsfResult.exe
Size

2.3MB
MD5

ca93060ae27c34849c7e65dc0da210fc
SHA1

5c589772ee781c45d26b903a5555784ceb8e7e85
SHA256

28163caef95204c2ab19d97d52978de33323d65196bd2056c6dc06e15f755eba
SHA512

4f9831d35f73b5921d00d5f9693cd46491b692e49a9a30ea85e5710fa11be97f11107db748f25e304564de5a925494ed43eafd576f063f75af342f7809dd4d0e
SSDEEP

49152:+4TW5myjkHicujBk84J8bOdiIMYvLl88d971/Ka1yn:+4y5LjkCNjBkN8KA7YvLld99lsn

Score

10^/10

umbral credential_access discovery execution persistence spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1360210646112665720/qXg1qF4JZ6j3Rqqts-_rZSbjGedO1RuAq7HLooe-TstGKKIib9a91A7sjYj3Xa-Dhtsc

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242c9-33.dat	family_umbral
behavioral1/memory/2632-34-0x000001B8F4980000-0x000001B8F49C0000-memory.dmp	family_umbral
behavioral1/memory/1656-35-0x0000000000400000-0x0000000000650000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
5040	powershell.exe
3452	powershell.exe
4828	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	dsfResult.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation	Everything.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 9 IoCs

pid	Process
4560	.exe
3096	Client.exe
2632	Umbral.exe
5268	Everything.exe
2544	Everything.exe
5932	Everything.exe
4692	Everything.exe
232	Everything.exe
828	Everything.exe

Loads dropped DLL 6 IoCs

pid	Process
4560	.exe
4560	.exe
4560	.exe
4560	.exe
4560	.exe
4560	.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Everything = "\"C:\\Program Files\\Everything\\Everything.exe\" -startup"	Everything.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Everything.exe
File opened (read-only)	\??\W:	Everything.exe
File opened (read-only)	\??\A:	Everything.exe
File opened (read-only)	\??\G:	Everything.exe
File opened (read-only)	\??\Q:	Everything.exe
File opened (read-only)	\??\T:	Everything.exe
File opened (read-only)	\??\X:	Everything.exe
File opened (read-only)	\??\Y:	Everything.exe
File opened (read-only)	\??\Z:	Everything.exe
File opened (read-only)	\??\E:	Everything.exe
File opened (read-only)	\??\J:	Everything.exe
File opened (read-only)	\??\L:	Everything.exe
File opened (read-only)	\??\N:	Everything.exe
File opened (read-only)	\??\B:	Everything.exe
File opened (read-only)	\??\H:	Everything.exe
File opened (read-only)	\??\I:	Everything.exe
File opened (read-only)	\??\P:	Everything.exe
File opened (read-only)	\??\K:	Everything.exe
File opened (read-only)	\??\M:	Everything.exe
File opened (read-only)	\??\O:	Everything.exe
File opened (read-only)	\??\R:	Everything.exe
File opened (read-only)	\??\S:	Everything.exe
File opened (read-only)	\??\U:	Everything.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com
16	pastebin.com
17	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
25	icanhazip.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Everything\Everything.exe	Everything.exe
File created	C:\Program Files\Everything\Changes.txt	Everything.exe
File created	C:\Program Files\Everything\License.txt	Everything.exe
File created	C:\Program Files\Everything\Everything.lng	Everything.exe
File created	C:\Program Files\Everything\Uninstall.exe	Everything.exe
File created	C:\Program Files\Everything\Everything.ini.tmp	Everything.exe
File opened for modification	C:\Program Files\Everything\Everything.exe	Everything.exe
File created	C:\Program Files\Everything\Everything.ini.tmp	Everything.exe
File opened for modification	C:\Program Files\Everything\Everything.ini.tmp	Everything.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsfResult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2940	cmd.exe
5140	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1568	wmic.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\PerceivedType = "text"	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\Content Type = "text/plain"	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\ = "Everything.FileList"	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\ = "Список файлов Everything"	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon\ = "C:\\Program Files\\Everything\\Everything.exe, 1"	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command\ = "\"C:\\Program Files\\Everything\\Everything.exe\" \"%1\""	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command\ = "\"C:\\Program Files\\Everything\\Everything.exe\" -edit \"%1\""	Everything.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5140	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6116	schtasks.exe
1064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2632	Umbral.exe
4828	powershell.exe
4828	powershell.exe
2868	powershell.exe
2868	powershell.exe
5040	powershell.exe
5040	powershell.exe
4792	powershell.exe
4792	powershell.exe
3452	powershell.exe
3452	powershell.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe
3096	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	Client.exe
Token: SeDebugPrivilege	2632	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4644	wmic.exe
Token: SeSecurityPrivilege	4644	wmic.exe
Token: SeTakeOwnershipPrivilege	4644	wmic.exe
Token: SeLoadDriverPrivilege	4644	wmic.exe
Token: SeSystemProfilePrivilege	4644	wmic.exe
Token: SeSystemtimePrivilege	4644	wmic.exe
Token: SeProfSingleProcessPrivilege	4644	wmic.exe
Token: SeIncBasePriorityPrivilege	4644	wmic.exe
Token: SeCreatePagefilePrivilege	4644	wmic.exe
Token: SeBackupPrivilege	4644	wmic.exe
Token: SeRestorePrivilege	4644	wmic.exe
Token: SeShutdownPrivilege	4644	wmic.exe
Token: SeDebugPrivilege	4644	wmic.exe
Token: SeSystemEnvironmentPrivilege	4644	wmic.exe
Token: SeRemoteShutdownPrivilege	4644	wmic.exe
Token: SeUndockPrivilege	4644	wmic.exe
Token: SeManageVolumePrivilege	4644	wmic.exe
Token: 33	4644	wmic.exe
Token: 34	4644	wmic.exe
Token: 35	4644	wmic.exe
Token: 36	4644	wmic.exe
Token: SeIncreaseQuotaPrivilege	4644	wmic.exe
Token: SeSecurityPrivilege	4644	wmic.exe
Token: SeTakeOwnershipPrivilege	4644	wmic.exe
Token: SeLoadDriverPrivilege	4644	wmic.exe
Token: SeSystemProfilePrivilege	4644	wmic.exe
Token: SeSystemtimePrivilege	4644	wmic.exe
Token: SeProfSingleProcessPrivilege	4644	wmic.exe
Token: SeIncBasePriorityPrivilege	4644	wmic.exe
Token: SeCreatePagefilePrivilege	4644	wmic.exe
Token: SeBackupPrivilege	4644	wmic.exe
Token: SeRestorePrivilege	4644	wmic.exe
Token: SeShutdownPrivilege	4644	wmic.exe
Token: SeDebugPrivilege	4644	wmic.exe
Token: SeSystemEnvironmentPrivilege	4644	wmic.exe
Token: SeRemoteShutdownPrivilege	4644	wmic.exe
Token: SeUndockPrivilege	4644	wmic.exe
Token: SeManageVolumePrivilege	4644	wmic.exe
Token: 33	4644	wmic.exe
Token: 34	4644	wmic.exe
Token: 35	4644	wmic.exe
Token: 36	4644	wmic.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	4192	wmic.exe
Token: SeSecurityPrivilege	4192	wmic.exe
Token: SeTakeOwnershipPrivilege	4192	wmic.exe
Token: SeLoadDriverPrivilege	4192	wmic.exe
Token: SeSystemProfilePrivilege	4192	wmic.exe
Token: SeSystemtimePrivilege	4192	wmic.exe
Token: SeProfSingleProcessPrivilege	4192	wmic.exe
Token: SeIncBasePriorityPrivilege	4192	wmic.exe
Token: SeCreatePagefilePrivilege	4192	wmic.exe
Token: SeBackupPrivilege	4192	wmic.exe
Token: SeRestorePrivilege	4192	wmic.exe
Token: SeShutdownPrivilege	4192	wmic.exe
Token: SeDebugPrivilege	4192	wmic.exe
Token: SeSystemEnvironmentPrivilege	4192	wmic.exe
Token: SeRemoteShutdownPrivilege	4192	wmic.exe
Token: SeUndockPrivilege	4192	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
232	Everything.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
232	Everything.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
232	Everything.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4560	1656	dsfResult.exe	85
PID 1656 wrote to memory of 4560	1656	dsfResult.exe	85
PID 1656 wrote to memory of 4560	1656	dsfResult.exe	85
PID 1656 wrote to memory of 3096	1656	dsfResult.exe	86
PID 1656 wrote to memory of 3096	1656	dsfResult.exe	86
PID 1656 wrote to memory of 2632	1656	dsfResult.exe	87
PID 1656 wrote to memory of 2632	1656	dsfResult.exe	87
PID 2632 wrote to memory of 4644	2632	Umbral.exe	89
PID 2632 wrote to memory of 4644	2632	Umbral.exe	89
PID 2632 wrote to memory of 4744	2632	Umbral.exe	91
PID 2632 wrote to memory of 4744	2632	Umbral.exe	91
PID 2632 wrote to memory of 4828	2632	Umbral.exe	93
PID 2632 wrote to memory of 4828	2632	Umbral.exe	93
PID 2632 wrote to memory of 2868	2632	Umbral.exe	95
PID 2632 wrote to memory of 2868	2632	Umbral.exe	95
PID 2632 wrote to memory of 5040	2632	Umbral.exe	97
PID 2632 wrote to memory of 5040	2632	Umbral.exe	97
PID 2632 wrote to memory of 4792	2632	Umbral.exe	99
PID 2632 wrote to memory of 4792	2632	Umbral.exe	99
PID 2632 wrote to memory of 4192	2632	Umbral.exe	101
PID 2632 wrote to memory of 4192	2632	Umbral.exe	101
PID 2632 wrote to memory of 5104	2632	Umbral.exe	103
PID 2632 wrote to memory of 5104	2632	Umbral.exe	103
PID 2632 wrote to memory of 3332	2632	Umbral.exe	105
PID 2632 wrote to memory of 3332	2632	Umbral.exe	105
PID 2632 wrote to memory of 3452	2632	Umbral.exe	107
PID 2632 wrote to memory of 3452	2632	Umbral.exe	107
PID 2632 wrote to memory of 1568	2632	Umbral.exe	109
PID 2632 wrote to memory of 1568	2632	Umbral.exe	109
PID 2632 wrote to memory of 2940	2632	Umbral.exe	111
PID 2632 wrote to memory of 2940	2632	Umbral.exe	111
PID 2940 wrote to memory of 5140	2940	cmd.exe	113
PID 2940 wrote to memory of 5140	2940	cmd.exe	113
PID 3096 wrote to memory of 4212	3096	Client.exe	114
PID 3096 wrote to memory of 4212	3096	Client.exe	114
PID 4212 wrote to memory of 6116	4212	CMD.exe	116
PID 4212 wrote to memory of 6116	4212	CMD.exe	116
PID 3096 wrote to memory of 1164	3096	Client.exe	117
PID 3096 wrote to memory of 1164	3096	Client.exe	117
PID 1164 wrote to memory of 1064	1164	CMD.exe	119
PID 1164 wrote to memory of 1064	1164	CMD.exe	119
PID 4560 wrote to memory of 5268	4560	.exe	121
PID 4560 wrote to memory of 5268	4560	.exe	121
PID 5268 wrote to memory of 2544	5268	Everything.exe	122
PID 5268 wrote to memory of 2544	5268	Everything.exe	122
PID 4560 wrote to memory of 4692	4560	.exe	127
PID 4560 wrote to memory of 4692	4560	.exe	127
PID 5428 wrote to memory of 232	5428	cmd.exe	128
PID 5428 wrote to memory of 232	5428	cmd.exe	128
PID 4560 wrote to memory of 828	4560	.exe	136
PID 4560 wrote to memory of 828	4560	.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\dsfResult.exe
"C:\Users\Admin\AppData\Local\Temp\dsfResult.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\.exe
  "C:\Users\Admin\AppData\Local\Temp\.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\Everything.exe
    "C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\Everything.exe" -install "C:\Program Files\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1049 -save-install-options 0"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5268
  - - C:\Program Files\Everything\Everything.exe
      "C:\Program Files\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1049 -save-install-options 0
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      PID:2544
- - C:\Program Files\Everything\Everything.exe
    "C:\Program Files\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1049
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4692
- - C:\Program Files\Everything\Everything.exe
    "C:\Program Files\Everything\Everything.exe"
    3⤵
    - Executes dropped EXE
    PID:828
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6116
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1064
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5104
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3452
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1568
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5140

C:\Program Files\Everything\Everything.exe
"C:\Program Files\Everything\Everything.exe" -svc
1⤵
- Executes dropped EXE
PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Everything\Everything.exe" -startup
1⤵
- Suspicious use of WriteProcessMemory
PID:5428
- C:\Program Files\Everything\Everything.exe
  "C:\Program Files\Everything\Everything.exe" -startup
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Everything\Everything.ini

Filesize
215B

MD5
b2b308d8c164f75bc11bccf7baf3df67

SHA1
6f1e5561268b2db5b46bb6f738c0f7a637fd6b6d

SHA256
f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5

SHA512
5cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659

Download Submit
C:\Program Files\Everything\Everything.ini.tmp

Filesize
20KB

MD5
110d8032ea69a8f9dbb3b430a8ca3ec2

SHA1
77a41459c62f900f1f41702144fc2b4a2b60b6bb

SHA256
c1e5e7590aefacb2f1c5e876973cc17c2026b8353cd890488fbaf3df5b726bf4

SHA512
955a1d9b5fe385689c03318b742b97592c2f824edb5355f301f11bdf85d712f1a39048fb53412c9e89b383e72f3933cb7b953cb9d495652c1576e653e565a520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79f6952813009f51247491052ca9ebbb

SHA1
78210dbe806bcde87a5f00201c9068bc1737a9ca

SHA256
bee2da5d5a697d09df4aa2b1c374a083a49b4f319c11da53c43ce9520b72a5dd

SHA512
cd019d3dc84665413a23cb2f4ed8fbe6bd6673928144d7af31e70d46dc24ce876bd5ffb11cb65fd5532f8f00bd793dd883200069b06dc93becf5d1db0399c22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3332c2f747b79a54dc9f4867423e31c3

SHA1
de8440945ab0c382b6657dd2e6f50bbc2a4b73bd

SHA256
f8ddc8eddb53247304e5463829cbf8d1a420a77781237820efa0c94ab18612cd

SHA512
96fcc7c39335ce60da1f8db2ff9b62324d60080fb1a5a81262a26c311b78117bf85b481113800f88ac6a37b7ba26a7be510f3c098b26828c751974339a1e8835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b8cb2e6dd5794b6a56a4bdbbd430fd7

SHA1
2b08e348c3489c6a35761af073018e3784c12074

SHA256
bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

SHA512
15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
1.8MB

MD5
d421ffd2ba591f56d43f601deeec09c5

SHA1
39c58fe62e2e6110d46a51eff235d69cae92e034

SHA256
dae32a49b6052f0ec70895dd4e35b2b26222f7f4c19c36d9d309033e2fb622bc

SHA512
abdfa8bfcedcc45528630a1c9ec618fe1ef013de2b13e10327598ed31e4fae0897d97d565111b02bc8fefc822120be9c7a24ce0a98fbf586f7fe00ea555be0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
228KB

MD5
9d13457fe2154ed1c7c5d080b4e89d75

SHA1
813a1143530624a7ebb51eb041d8ab1b1349c428

SHA256
4433cbb68bb1948a9093af9d3e4ca43dd9d2e8ab1eb4ef172c84a18122211dbb

SHA512
4665ce02912a5d27a847b91fc7dc1a1cd215febe16fa2bd9d90694a9ce45d5475255cdd0d9e2d57c00b61bbdd94ffce6e71227d04530544591043216be48341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
e4b51d29d135168fc262065999c10f6a

SHA1
8f7d8872ee04c47af338ea0fe8480a3e5be2d6bb

SHA256
72717c89182aa16055fca98ccb899f86084a888681cd5621dcdba99d08056c7c

SHA512
d539a85bdbd0bcaa52ed8483d124f61875eb1b28d5bd353087eee1332efd3bf948fcd672e77b06755ccb4af7c1783db87091d99f78da41f12f8187fd22927fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvwjmxx4.yvi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C8F.tmp

Filesize
449KB

MD5
6516f29b0edc796fa4b96c182a739254

SHA1
f9af58d4c1eb3ae3ce10d4ca3ac86dfd76464e53

SHA256
1c6e4a06a3b467e41cdc806d10733d2041e69ddfcad4d54291d3d7ae88fe5399

SHA512
5d34c01a627262d8cb7a48f0fefcf73bd60182654a36e811991aa85a943bb6fc282fb929db1a0bd4af2d780691e434ac02334c16a9466b569d54e1c3fa62ba9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\Changes.txt

Filesize
19KB

MD5
e3cc8979834c21ddcc26bd94599242f6

SHA1
2045335da8e3a5723547e0c728d3323ecff2aa15

SHA256
9871a374b9e6b8660004450f2e735dda01025d4cb51eae0c296fee3fc285d9df

SHA512
f25e89f6cc99c06197889f60e1898af4b1ea309aed9194e42fc5107b0101a195d795690f5ee5f98475a3fe252b839eb6367b154ca8686eb04d033b682002036b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\Everything.lng

Filesize
935KB

MD5
112f64226ee5a339bbe7aefbd9e8deba

SHA1
d9f73eaf2b60531ca155814d217a3b480c940b75

SHA256
d925b044baa9af9375b8918758a4ccf12b48c5dc7b4aaba8791b92e77e9233f1

SHA512
d349d1546b031babb84450e66d2e92570441a07f5ef5d8ce843043e03f9050beb160d6fd343ebf3b730a116070f7ca017cd268ab1bf20e0ab71f876542678a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\License.txt

Filesize
1KB

MD5
7ab8135f730a9ec0f677921caf8eb242

SHA1
5b72cedb7997ddbfc1b80dfe199d2f017e76c3a0

SHA256
34ce4ad0d7fead4e912dc20225314c03fcf234a898796a9ef2ec1761277ee48c

SHA512
702a865053fff1e74e1fffee1ea6a44e699de25387bff7af228decde0c0003203108ddd435df46936f693e576f2f3f44be2e184bdd97c383238e1c9e92915808

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\Uninstall.exe

Filesize
137KB

MD5
5bc130224a4bb1ccf8765bbb70244b4f

SHA1
dcb135c1598be3161a5d5c52315122f18d89f3a9

SHA256
2d2ef89159efc42b104f13ea771d9d50922f2f8193ff865cf4f982eb13cf45e3

SHA512
4bbcc058c89f420a9150e9c5539a894d56bd9b35e8498bfe8bbb581869310cb972edcd76a65665a172bed3af0c1f311ef354833a952b2c48ec4e152d29da7f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\Everything\everything.exe

Filesize
2.2MB

MD5
59872dc7c88df7d0b01f9e93e5a4489d

SHA1
b0458bfc15492416e15f3a8f77f9fbbac856f261

SHA256
c194acec8a66c7c73438098e673328bbab594ab489401823038bc3a97ec70a72

SHA512
c5a6cf1ebd4bb7572cb5fa2d3f7c07abfad869c80b7eb8346f1b9b02f908ad8d60bc2d66e2c643ed162abf1ad844cc994a5151b8dd7771b12efb0e395a6fe01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions.ini

Filesize
1KB

MD5
e2808f4be298a32ae279ee9ebacd0a0c

SHA1
b7929c346ba7a7aa690a766e4f70bc1d44f75460

SHA256
99b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52

SHA512
a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions.ini

Filesize
1KB

MD5
aed050cd7b898532395bb67cfcf666b3

SHA1
3406a56fe12634a676c5813962cbd9b6a830dabd

SHA256
0dd368728c665192a379d5916691353928462d5489ce7e4696a468fb89543be8

SHA512
0175790e94f385dfaae5baf5d3a3c23865647ddbd7b099e7e2a142d705b7d0fd536923bd13befe0e9e2c182db29a5214eb7af138abbd635445f151b7301241ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions.ini

Filesize
1KB

MD5
4659bc0d132ac98970e0dd63ead591d1

SHA1
3c0c8c844bda61d79029776d156f839073dd02a5

SHA256
e3db60dc1acff9e5a8d5a9170d600f9bea7ad3ca9fd0c4a360ddeb1fe91f329c

SHA512
226165be9e5207bcb4bf6a789fda78dd99fa64ba75eb994ff93b62541d39e0d8858aad2312c03ceb8a3bd3d07476f5341000e9f51dcbdff3fee6db23a02ecb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions2.ini

Filesize
2KB

MD5
a6634dd375de49a06ff7c8c65f03bb42

SHA1
2834f907bb17d0916cfd1285718695f866e319d6

SHA256
caf045fdf50d8706410dabb4b4db6edab64d09a1c4229854666c5fdcbc70f35d

SHA512
c2d65ed0b99084753447711ea46e2805017b51917851bc7b53a96e58c49b92acf9f3f32fdb9b68beea400050703785ef49f7d7bf77131cb683663375654b71e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions2.ini

Filesize
2KB

MD5
940ec02456acf8a9bc9cdb2be86ad05d

SHA1
146a46f5eed8b1ed37f6b6ab28177e50b2e728ab

SHA256
b443a13debea1ddd0531f62195061f4eca6e4ba49fac36b21675dca94c8e4ae6

SHA512
978c5a724c420e27bef3cdca515e9e7690302da92a3689490e1d0d36f36b34893c9e0efaa0792239a21bb211f0ee5999a775c1af07cea6b028bd2900abbdf281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\InstallOptions2.ini

Filesize
2KB

MD5
cc08fbc2d2607b44376a0d4836742879

SHA1
4dde5849494ca8c24f1c62b55f17d69df4fb8576

SHA256
c05db0b3f5b35c3caf2daa29fa2744ea6076be0cb3bb0755cd80df67606f810c

SHA512
f7f0dbe98c8621ce3eeb788870247ba038c8bac9849a592cc69762452ce88bb800e6e92cad8dd6a3d57f2dde788d69f574b9487784eca7da44064e0431005fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\ioSpecial.ini

Filesize
582B

MD5
ce41e4c04ec0fe5378793b66247fffa1

SHA1
262bb5bf4e06804a7d02147aff67abb9f101b49c

SHA256
9811d234ac29fd49413f32a3b4dd1839b9adba304880502f6cad4aa534b7fc6a

SHA512
39e6397e6d9e2a79bd858a5310979ff0faa07d326e26ba47c95cafb938de21800ac714b89f06d6a6167ee42fc071b25c154483410b7099d05ce4f731834950c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\ioSpecial.ini

Filesize
1KB

MD5
0342b84550ba44fdb5f6f459788ef0b6

SHA1
69ea05b916dc1a5ce96d84398035b11b88b9a3ca

SHA256
d22c06f9b830a103126fb7966a90e47b54f816d6f0a5448ab405a70a0110f341

SHA512
e58abde3e4307010124ca17206c4204b53ef1e3e59ce0fbc10c398211734b2ed9e59450af36a0fda0ac522007eef0b54866e451e30c51f8d2061c9109b1c499b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\ioSpecial.ini

Filesize
1KB

MD5
8549519b7cdf95808e1e40c4a9fb2e25

SHA1
682b2c83210c60582f27703308ea1a54fe665ad6

SHA256
f574a2eeb515eddd515f025fe1571960177b501f4146476f91b6bb6dbfed9096

SHA512
080b49aa3f74a78ed226fbe48e0a93f9fbc6e5cb93db5c7bf5c155d856825c1736046f2dcf67ef7fe7c35939282b774b92255c4a55be379f2b2f63c975366ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C90.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
memory/1656-35-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2632-79-0x000001B8F7110000-0x000001B8F7186000-memory.dmp

Filesize
472KB

Download
memory/2632-118-0x000001B8F70E0000-0x000001B8F70F2000-memory.dmp

Filesize
72KB

Download
memory/2632-136-0x00007FFCEDBC0000-0x00007FFCEE681000-memory.dmp

Filesize
10.8MB

Download
memory/2632-42-0x00007FFCEDBC0000-0x00007FFCEE681000-memory.dmp

Filesize
10.8MB

Download
memory/2632-117-0x000001B8F6730000-0x000001B8F673A000-memory.dmp

Filesize
40KB

Download
memory/2632-34-0x000001B8F4980000-0x000001B8F49C0000-memory.dmp

Filesize
256KB

Download
memory/2632-80-0x000001B8F7090000-0x000001B8F70E0000-memory.dmp

Filesize
320KB

Download
memory/2632-81-0x000001B8F6760000-0x000001B8F677E000-memory.dmp

Filesize
120KB

Download
memory/3096-31-0x00007FFCEDBC3000-0x00007FFCEDBC5000-memory.dmp

Filesize
8KB

Download
memory/3096-29-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/4828-56-0x000002AB6C5A0000-0x000002AB6C5C2000-memory.dmp

Filesize
136KB

Download