umbral | hxxps://cdn[.]discordapp[.]com/attachments/1180592646717190237/1182064237032509522/NostalgiaPaste[.]rar?ex=65df9f1b&is=65cd2a1b&hm=3c0a61ea2247e3f698bf71ed771fd9dd3966154830e2f85283fa05c17b99e044&

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1180592646717190237/1182064237032509522/NostalgiaPaste.rar?ex=65df9f1b&is=65cd2a1b&hm=3c0a61ea2247e3f698bf71ed771fd9dd3966154830e2f85283fa05c17b99e044&

Score

10^/10

umbral spyware stealer

Malware Config

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/4560-70-0x0000000006EB0000-0x0000000006EEE000-memory.dmp	family_umbral
behavioral1/files/0x0003000000022fab-75.dat	family_umbral
behavioral1/memory/5056-83-0x00000148CD3A0000-0x00000148CD3E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation	NostalgiaPaste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation	NostalgiaPaste.exe

Executes dropped EXE 4 IoCs

pid	Process
4560	NostalgiaPaste.exe
5056	nostalgia_authentication.exe
4704	NostalgiaPaste.exe
2736	nostalgia_authentication.exe

Loads dropped DLL 4 IoCs

pid	Process
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4704	NostalgiaPaste.exe
4704	NostalgiaPaste.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
48	discord.com
35	discord.com
36	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4704	NostalgiaPaste.exe
4704	NostalgiaPaste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2772	wmic.exe
1212	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	chrome.exe
772	chrome.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
2060	powershell.exe
2060	powershell.exe
4560	NostalgiaPaste.exe
2060	powershell.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
3584	powershell.exe
3584	powershell.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
3584	powershell.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
1104	powershell.exe
1104	powershell.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
1104	powershell.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe
4560	NostalgiaPaste.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
772	chrome.exe
772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeRestorePrivilege	2056	7zFM.exe
Token: 35	2056	7zFM.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeSecurityPrivilege	2056	7zFM.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe
Token: SeCreatePagefilePrivilege	772	chrome.exe
Token: SeShutdownPrivilege	772	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
2056	7zFM.exe
2056	7zFM.exe
2056	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe
772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 4088	772	chrome.exe	35
PID 772 wrote to memory of 4088	772	chrome.exe	35
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 4960	772	chrome.exe	89
PID 772 wrote to memory of 488	772	chrome.exe	88
PID 772 wrote to memory of 488	772	chrome.exe	88
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90
PID 772 wrote to memory of 3644	772	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1180592646717190237/1182064237032509522/NostalgiaPaste.rar?ex=65df9f1b&is=65cd2a1b&hm=3c0a61ea2247e3f698bf71ed771fd9dd3966154830e2f85283fa05c17b99e044&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c829758,0x7ff98c829768,0x7ff98c829778
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1256 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\NostalgiaPaste.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4744 --field-trial-handle=1900,i,5974985762244857119,6557054613030327189,131072 /prefetch:2
  2⤵
  PID:2068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:732

C:\Users\Admin\Desktop\New folder\NostalgiaPaste.exe
"C:\Users\Admin\Desktop\New folder\NostalgiaPaste.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4560
- C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe
  "C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe"
  2⤵
  - Executes dropped EXE
  PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4256
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:3304
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2424
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:852
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2772

C:\Users\Admin\Desktop\New folder\NostalgiaPaste.exe
"C:\Users\Admin\Desktop\New folder\NostalgiaPaste.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4704
- C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe
  "C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe"
  2⤵
  - Executes dropped EXE
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe'
    3⤵
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4944
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:396
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3220
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:688
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
26f864141921b247523518f76b0f0962

SHA1
83743a0369a82f3528e897255f6c2e9641277b2a

SHA256
136a33c574df20e89383a30e4b8911e01c7170c8b6496e7038322497f600f8a3

SHA512
16f4b6e9ee70f4f6766d3815aa4fc795adb55e351428fc1e46578f16742d850736a91c6d1f8b397620754c940260c7bc2615ae4b328dcfe61ff6d6033e42d2fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
22f81ac6883539f8d0996d669d0c4eb2

SHA1
847007ce464d4fc0c8eb2a5d64cd3e7fcdb6958a

SHA256
c29fe58e45c107c5d827d83f6aad84161f6d9ff651c600c9b3e5758f7971d224

SHA512
e0b3929343dc37504c1cd75f5c59bcf456fbf84ee0fcf6eea31578cc1d30081478f2402618e5545692d1a2e9bf6ffaeafeb0a3badd16ab1521b8801ba24b0bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2b141b46dd70a94ad4fae5eb1827434b

SHA1
bb452c1b548947454cf1d74b51662a10ea5fd459

SHA256
3006b84cc30bd66e2f0baca4a4e3d5a9e3addf973edad800fb2944bb2f76d1fd

SHA512
a301019d112dd397685046795bf9d721d963c934e187de997d89c2f1e0dd01bb32f6f03d212eff9ecdf8403845ba0096076488b9de2b29e5ce40f9d4c27aabd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
2ba816fca2384150f4c45a9ca0c67249

SHA1
95a0f6710051bf5e17d1a9e14b06d7b3378e854b

SHA256
7ee4a6416d2df63697af7464e3f2557d754044e0bb02eecc98c3e786e9839652

SHA512
2679efd37373d2e4fe52491f657a450ddd545cf83ece749b1f56ce46b94e695e107d04569a426bc20db2e9baea288ef08681e20299529a4f2a3144d829b9acbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
ffa5f22e0fb506138062710acc231f83

SHA1
500eec5a767ad328f5d8b0a5637e7dcc5b906d02

SHA256
b838c79cab091c40897fdcadc3884ce33eb6ac604ef6b2607ea09bc0f96fb36b

SHA512
6825ce488f168b8806e6395eae6e238aa951ba5ce45362e84c6e4c8d36eb724213f2dd053d544191c5d8761e5fd3d4f9658a3c0da18f74be7ea988410aa3bb17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
92de32ed7311e69bef0c27917effccbb

SHA1
f00fda433421217b7d38c851f42f44e68cf64785

SHA256
e8423bd90909f5166b2a144d33e566c0e6f42d7e59295714b9d9b3dafaba3e02

SHA512
42aefd188ee4ca15745bda4aa6b42e93c837aa327e3c3b368b6ad281c2d6fb54ff4cd01aaa483a764af3d10b2aa5a25f6ce4289f9def0a1d163138ea3cf8ba39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
1638803298419c790541b2859b2c8491

SHA1
32d470a284911106bab00ca6c0b82169a2424020

SHA256
85f8493e075ed716281cd28ab236e625292c760860e91c330d0f1e75009f64ed

SHA512
acc3f22c3a7e3beccd47d07cb11c150a7d1beb3b2f2370fcaf1788c0283576636e9720d0494997e9cfe05817f533f8295c5c307eb0607942cf70a416adca9624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
0b8d372714e098662f8719bb450e37ef

SHA1
fa070198ecfc7b6f1dc03e2b6e79fd81a3b66608

SHA256
6088268ee57626c2010af1bc3451f10b35013581c8cddcf604a438ac013aa25e

SHA512
cb018067ccd435babc772e9e43740201c8d20e313dc3cad70dc57032e3298a81e7a9adf8525e67e063f8b35a38a08314936e0855d9aaaf3fe51ccaf2d7cb8a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
133KB

MD5
4b7dd3e1b93d9898014540f4e8cc8bfa

SHA1
f97a7921a9555afe75038e5f69b797dfd5a72234

SHA256
16489ceaa9c7cceef2bbefa72908ebb5b5858d812365862b8543ac000dc819d6

SHA512
59242d40010f3333ebd87529b52ff92252947e7f5e2d599d9b4de5a024387f67a290f6567b3551705952bab2c6aa21f4fe339524d14eb5876a6b3f453116a68b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nostalgia_authentication.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NostalgiaPaste.exe.log

Filesize
1KB

MD5
227fe44660100a01a0bf06df3e812a60

SHA1
598f00f48c5ec4b3d48df99be2d92ac85ffa5c72

SHA256
b5124770f064862118012dd70d4c2097ee29ee64bca525e181e586c9b00b3d85

SHA512
8047a5527b7a410f89dd81ba6db6bd89d469eb67f42fbf71f189d008104492796d8c063725f1220ece275a37ec0499dd9333986964e82d1fd80eac3c1362b98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8fc851f1c6695ea553800aeb7344e1b

SHA1
242e7e3645fd7e1515e0effcc497eb351c1f4d08

SHA256
536856ec5b8142a2cd8a415bec45dd0d8e2de6dbf31078169aaa78f927142f8e

SHA512
705f252bbb748cac43964dd16cd9be09a53d78d774da2a3ed304bc5aa341a4d7e2c1b0eb622f0d6936bdcb295aad1974c4a23d8961ae8bddb6c4bd193980b647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1f4102ca6e06c421183e4ec65a19033f

SHA1
852b6b2fba24ee1ce527c9ed5c572d5a50a0ecdb

SHA256
603e7e2e2fc85ab707b781a4c274c9bff5d9364a2c2b58949c7765185149d956

SHA512
03a9a1c2548c56326b7975ab6c5bfe2700e9d91ed8f2a174264a3c018f21a887f81fb864fa050a40c88fe4a011279da511f3facba5ffe36e2d9e8344a668376e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d9c1c8f58b566e041b49cdd321711448

SHA1
24e138bada5410d41b9c4f1d47ccdd7d730fae52

SHA256
bcc5c38901eb2bc601089ebe4138e9936700b5652b829e360ea280edf7c394a4

SHA512
ee9072c3201874a1523bc7945564e3459f56c77c4052bdc7d7e126d2c112c3de435b2ee0feee103aadf89c5d422b2ec0c5f4d9e553fe127fb9e2f94543654037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f69437dfc5b7cb5d7422d4557c5193a1

SHA1
2ad54bbf836fa97a9386a6b251c5d769a6d2badb

SHA256
f91341354f99f965d4737a54743ca914531391e5c03005020ace74f8c536c0e0

SHA512
993fe382cbd8b978e06e6e5870757959b6944d70a4e6bf97420039b20dd6f1a566545cc271b28bcb5795205d4e8ea6ce1ef4effe6ccd45d909c2560e867ccc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmmpwe2q.f2y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nostalgia_authentication.exe

Filesize
229KB

MD5
9807cd8bd9f25a62782f5ef42ef82432

SHA1
942ca4582b457f0f3768e02a3422e2646ec774e7

SHA256
9072ab80200c13dd896e67257dd9fa4f8795bbca69513d1529fa782c54ffb13d

SHA512
dd51a1d295778593c40ef27d8319ef04a0b02ee0b7a68c599aea83846d17d1db1f445ec63890639d3e9da649aac7613aa296f3e50be0a41c28683136e59ba1c3

Download Submit
C:\Users\Admin\Desktop\New folder\InjectionLibrary.dll

Filesize
78KB

MD5
64ef546a5a013f36524507e7dfc70d09

SHA1
d6d0aabdc88b7a875fd666a65194e250cd9ef3e5

SHA256
7919342e61f58303b1efe7bc3f2a612b717d64069c45eb53f0193218821d0016

SHA512
b409aaaf770bf0ca436e66279a324158845cba04ad892bbe98c0e32e96faacf83108d5e5b2b51efb59c8a3fccb4476303af47408f1a26bd79b18008ceaa7cc6b

Download Submit
C:\Users\Admin\Desktop\New folder\NostalgiaPaste.exe

Filesize
614KB

MD5
863ccaa8f5615fd603e3df9e08d433c6

SHA1
58e5ac27b4c8ce04b705fbd4fc267c7c96ae8438

SHA256
b502a581b8b5f291508791631fbd40853edc952572eaa214086f6a91694a284a

SHA512
715dccca665ffc88da761fc2ae0a9a01a477c3546b86fc0922ca033b4826f44b42c2c718b1adec2c26e9736e3e81c144ef5f5161706daa3acbabe8b0f952a906

Download Submit
C:\Users\Admin\Downloads\NostalgiaPaste.rar

Filesize
570KB

MD5
580fb25abdc9708233367ed8e44cca3a

SHA1
3928152088541452edde87b688e1955c6c4ef100

SHA256
ac9fb718a06f5ea046a5ce765f84c202c08c45814bcd10c9e74de3dfc8301878

SHA512
2bb828bc6b0cf883730d2ce87bcfe3763c8c374c74d0db6d11020315bcc37322c377d514dbe1ee0755885e1d4fbbb71001c80cd3ff1025edf75a4c1cecf55331

Download Submit
memory/852-194-0x000001D333320000-0x000001D333330000-memory.dmp

Filesize
64KB

Download
memory/852-192-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/852-195-0x000001D333320000-0x000001D333330000-memory.dmp

Filesize
64KB

Download
memory/852-196-0x000001D333320000-0x000001D333330000-memory.dmp

Filesize
64KB

Download
memory/852-198-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/1104-156-0x000001E0D94E0000-0x000001E0D94F0000-memory.dmp

Filesize
64KB

Download
memory/1104-161-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/1104-142-0x000001E0D94E0000-0x000001E0D94F0000-memory.dmp

Filesize
64KB

Download
memory/1104-122-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/1104-130-0x000001E0D94E0000-0x000001E0D94F0000-memory.dmp

Filesize
64KB

Download
memory/1536-248-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/1536-249-0x000002194BEB0000-0x000002194BEC0000-memory.dmp

Filesize
64KB

Download
memory/1536-250-0x000002194BEB0000-0x000002194BEC0000-memory.dmp

Filesize
64KB

Download
memory/1536-261-0x000002194BEB0000-0x000002194BEC0000-memory.dmp

Filesize
64KB

Download
memory/1536-263-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/1860-245-0x000001E517BC0000-0x000001E517BD0000-memory.dmp

Filesize
64KB

Download
memory/1860-247-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/1860-243-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/2060-101-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/2060-95-0x0000022FC5F50000-0x0000022FC5F72000-memory.dmp

Filesize
136KB

Download
memory/2060-96-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/2060-97-0x0000022FABF50000-0x0000022FABF60000-memory.dmp

Filesize
64KB

Download
memory/2060-98-0x0000022FABF50000-0x0000022FABF60000-memory.dmp

Filesize
64KB

Download
memory/2060-99-0x0000022FABF50000-0x0000022FABF60000-memory.dmp

Filesize
64KB

Download
memory/2608-271-0x00000219A5400000-0x00000219A5410000-memory.dmp

Filesize
64KB

Download
memory/2608-280-0x00000219A5400000-0x00000219A5410000-memory.dmp

Filesize
64KB

Download
memory/2608-268-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/2608-295-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/2736-293-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/2736-233-0x000001B1E22F0000-0x000001B1E2300000-memory.dmp

Filesize
64KB

Download
memory/2736-231-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/3584-116-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/3584-102-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/4256-162-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/4256-174-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/4560-206-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-69-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/4560-114-0x0000000009F10000-0x0000000009F20000-memory.dmp

Filesize
64KB

Download
memory/4560-64-0x000000000A1C0000-0x000000000A252000-memory.dmp

Filesize
584KB

Download
memory/4560-61-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/4560-62-0x0000000009F10000-0x0000000009F20000-memory.dmp

Filesize
64KB

Download
memory/4560-63-0x000000000A6D0000-0x000000000AC74000-memory.dmp

Filesize
5.6MB

Download
memory/4560-123-0x0000000009F10000-0x0000000009F20000-memory.dmp

Filesize
64KB

Download
memory/4560-56-0x0000000000D30000-0x0000000000E80000-memory.dmp

Filesize
1.3MB

Download
memory/4560-103-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-55-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-82-0x0000000009F10000-0x0000000009F20000-memory.dmp

Filesize
64KB

Download
memory/4560-70-0x0000000006EB0000-0x0000000006EEE000-memory.dmp

Filesize
248KB

Download
memory/4560-68-0x00000000033B0000-0x00000000033CC000-memory.dmp

Filesize
112KB

Download
memory/4704-209-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4704-265-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4704-296-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4704-282-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4704-232-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4704-281-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/5056-117-0x00000148E7B10000-0x00000148E7B86000-memory.dmp

Filesize
472KB

Download
memory/5056-129-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/5056-83-0x00000148CD3A0000-0x00000148CD3E0000-memory.dmp

Filesize
256KB

Download
memory/5056-84-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/5056-85-0x00000148CD7C0000-0x00000148CD7D0000-memory.dmp

Filesize
64KB

Download
memory/5056-121-0x00000148CF150000-0x00000148CF16E000-memory.dmp

Filesize
120KB

Download
memory/5056-118-0x00000148CF1A0000-0x00000148CF1F0000-memory.dmp

Filesize
320KB

Download
memory/5056-204-0x00007FF978AC0000-0x00007FF979581000-memory.dmp

Filesize
10.8MB

Download
memory/5056-177-0x00000148CF180000-0x00000148CF18A000-memory.dmp

Filesize
40KB

Download
memory/5056-178-0x00000148E7BB0000-0x00000148E7BC2000-memory.dmp

Filesize
72KB

Download