umbral | 13dcf8833f9fe533311420d9db085b180aca2ff1674e692c79b6596ebf5a83cd

Analysis

max time kernel
124s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09-06-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan.exe
Size

19.8MB
MD5

4aa0a579b602bd4434e6c857294fcca5
SHA1

3b4fec5946e430c54ec4b9170b165c9893368c1b
SHA256

13dcf8833f9fe533311420d9db085b180aca2ff1674e692c79b6596ebf5a83cd
SHA512

58fc656496033afdeda99efb2d9576fcc46e4b8af96ed0d024dc13b1fd775a98dad74d53f917c0e63980129221ecd686a8e178a86da423fadaac0761d50eff4a
SSDEEP

393216:kTspQo6f651rlw2PbRAInE5xg2N0hS+cpEMqT96SDtwdM7d3dgB7bSu8bafx3:kQuo6kBbeIACkAaE6k4MwBau8ix

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

north-modem.gl.at.ply.gg:45517

Attributes

Install_directory
%AppData%
install_file
Antimalware Service Executable.exe

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe	family_umbral
behavioral2/memory/4552-25-0x00000216065A0000-0x00000216065E0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\sdfc.exe	family_xworm
behavioral2/memory/1884-53-0x00000000008E0000-0x00000000008F6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2948 powershell.exe
3400 powershell.exe
3444 powershell.exe
4392 powershell.exe
1444 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Stealeerrrl.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Stealeerrrl.exe

pid	process
2948	powershell.exe
3400	powershell.exe
3444	powershell.exe
4392	powershell.exe
1444	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Stealeerrrl.exe

Drops startup file 2 IoCs

Processes:

sdfc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.lnk	sdfc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.lnk	sdfc.exe

Executes dropped EXE 30 IoCs

Processes:

SHACTUAL.exeStealeerrrl.exeNursultan.exesdfc.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exe45215434532.exeNursultan.exeStealeerrrl.exeAntimalware Service Executable.exeAntimalware Service Executable.exe

pid	process
3012	SHACTUAL.exe
4552	Stealeerrrl.exe
1228	Nursultan.exe
1884	sdfc.exe
972	45215434532.exe
2208	Nursultan.exe
2412	Stealeerrrl.exe
2148	45215434532.exe
3096	Nursultan.exe
2704	Stealeerrrl.exe
424	45215434532.exe
2012	Nursultan.exe
1716	Stealeerrrl.exe
2144	45215434532.exe
416	Nursultan.exe
1404	Stealeerrrl.exe
4852	45215434532.exe
1188	Nursultan.exe
3508	Stealeerrrl.exe
4660	45215434532.exe
4368	Nursultan.exe
3764	Stealeerrrl.exe
1436	45215434532.exe
4028	Nursultan.exe
2600	Stealeerrrl.exe
4452	45215434532.exe
2288	Nursultan.exe
1140	Stealeerrrl.exe
1940	Antimalware Service Executable.exe
2380	Antimalware Service Executable.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sdfc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.exe"	sdfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 discord.com
2 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
8	discord.com
2	discord.com

flow	ioc
2	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2688 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

3596 wmic.exe
Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings taskmgr.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4324 PING.EXE

pid	process
2688	schtasks.exe

pid	process
3596	wmic.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	taskmgr.exe

pid	process
4324	PING.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

Stealeerrrl.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exe

pid	process
4552	Stealeerrrl.exe
2948	powershell.exe
2948	powershell.exe
3400	powershell.exe
3400	powershell.exe
2812	powershell.exe
2812	powershell.exe
3444	powershell.exe
3444	powershell.exe
4392	powershell.exe
1812	powershell.exe
4392	powershell.exe
1812	powershell.exe
1444	powershell.exe
1444	powershell.exe
2956	powershell.exe
2956	powershell.exe
984	powershell.exe
984	powershell.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Stealeerrrl.exesdfc.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4552	Stealeerrrl.exe
Token: SeDebugPrivilege	1884	sdfc.exe
Token: SeIncreaseQuotaPrivilege	3956	wmic.exe
Token: SeSecurityPrivilege	3956	wmic.exe
Token: SeTakeOwnershipPrivilege	3956	wmic.exe
Token: SeLoadDriverPrivilege	3956	wmic.exe
Token: SeSystemProfilePrivilege	3956	wmic.exe
Token: SeSystemtimePrivilege	3956	wmic.exe
Token: SeProfSingleProcessPrivilege	3956	wmic.exe
Token: SeIncBasePriorityPrivilege	3956	wmic.exe
Token: SeCreatePagefilePrivilege	3956	wmic.exe
Token: SeBackupPrivilege	3956	wmic.exe
Token: SeRestorePrivilege	3956	wmic.exe
Token: SeShutdownPrivilege	3956	wmic.exe
Token: SeDebugPrivilege	3956	wmic.exe
Token: SeSystemEnvironmentPrivilege	3956	wmic.exe
Token: SeRemoteShutdownPrivilege	3956	wmic.exe
Token: SeUndockPrivilege	3956	wmic.exe
Token: SeManageVolumePrivilege	3956	wmic.exe
Token: 33	3956	wmic.exe
Token: 34	3956	wmic.exe
Token: 35	3956	wmic.exe
Token: 36	3956	wmic.exe
Token: SeIncreaseQuotaPrivilege	3956	wmic.exe
Token: SeSecurityPrivilege	3956	wmic.exe
Token: SeTakeOwnershipPrivilege	3956	wmic.exe
Token: SeLoadDriverPrivilege	3956	wmic.exe
Token: SeSystemProfilePrivilege	3956	wmic.exe
Token: SeSystemtimePrivilege	3956	wmic.exe
Token: SeProfSingleProcessPrivilege	3956	wmic.exe
Token: SeIncBasePriorityPrivilege	3956	wmic.exe
Token: SeCreatePagefilePrivilege	3956	wmic.exe
Token: SeBackupPrivilege	3956	wmic.exe
Token: SeRestorePrivilege	3956	wmic.exe
Token: SeShutdownPrivilege	3956	wmic.exe
Token: SeDebugPrivilege	3956	wmic.exe
Token: SeSystemEnvironmentPrivilege	3956	wmic.exe
Token: SeRemoteShutdownPrivilege	3956	wmic.exe
Token: SeUndockPrivilege	3956	wmic.exe
Token: SeManageVolumePrivilege	3956	wmic.exe
Token: 33	3956	wmic.exe
Token: 34	3956	wmic.exe
Token: 35	3956	wmic.exe
Token: 36	3956	wmic.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeIncreaseQuotaPrivilege	4976	wmic.exe
Token: SeSecurityPrivilege	4976	wmic.exe
Token: SeTakeOwnershipPrivilege	4976	wmic.exe
Token: SeLoadDriverPrivilege	4976	wmic.exe
Token: SeSystemProfilePrivilege	4976	wmic.exe
Token: SeSystemtimePrivilege	4976	wmic.exe
Token: SeProfSingleProcessPrivilege	4976	wmic.exe
Token: SeIncBasePriorityPrivilege	4976	wmic.exe
Token: SeCreatePagefilePrivilege	4976	wmic.exe
Token: SeBackupPrivilege	4976	wmic.exe
Token: SeRestorePrivilege	4976	wmic.exe
Token: SeShutdownPrivilege	4976	wmic.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

taskmgr.exe

pid	process
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

taskmgr.exe

pid	process
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe
3948	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Nursultan.exeNursultan.exeNursultan.exeStealeerrrl.exeNursultan.exeNursultan.exeNursultan.exeNursultan.exesdfc.exeNursultan.exeNursultan.exe

description	pid	process	target process
PID 2216 wrote to memory of 3012	2216	Nursultan.exe	SHACTUAL.exe
PID 2216 wrote to memory of 3012	2216	Nursultan.exe	SHACTUAL.exe
PID 2216 wrote to memory of 4552	2216	Nursultan.exe	Stealeerrrl.exe
PID 2216 wrote to memory of 4552	2216	Nursultan.exe	Stealeerrrl.exe
PID 2216 wrote to memory of 1228	2216	Nursultan.exe	Nursultan.exe
PID 2216 wrote to memory of 1228	2216	Nursultan.exe	Nursultan.exe
PID 2216 wrote to memory of 1884	2216	Nursultan.exe	sdfc.exe
PID 2216 wrote to memory of 1884	2216	Nursultan.exe	sdfc.exe
PID 1228 wrote to memory of 972	1228	Nursultan.exe	45215434532.exe
PID 1228 wrote to memory of 972	1228	Nursultan.exe	45215434532.exe
PID 1228 wrote to memory of 2208	1228	Nursultan.exe	Nursultan.exe
PID 1228 wrote to memory of 2208	1228	Nursultan.exe	Nursultan.exe
PID 1228 wrote to memory of 2412	1228	Nursultan.exe	Stealeerrrl.exe
PID 1228 wrote to memory of 2412	1228	Nursultan.exe	Stealeerrrl.exe
PID 2208 wrote to memory of 2148	2208	Nursultan.exe	45215434532.exe
PID 2208 wrote to memory of 2148	2208	Nursultan.exe	45215434532.exe
PID 2208 wrote to memory of 3096	2208	Nursultan.exe	Nursultan.exe
PID 2208 wrote to memory of 3096	2208	Nursultan.exe	Nursultan.exe
PID 2208 wrote to memory of 2704	2208	Nursultan.exe	Stealeerrrl.exe
PID 2208 wrote to memory of 2704	2208	Nursultan.exe	Stealeerrrl.exe
PID 4552 wrote to memory of 3956	4552	Stealeerrrl.exe	wmic.exe
PID 4552 wrote to memory of 3956	4552	Stealeerrrl.exe	wmic.exe
PID 3096 wrote to memory of 424	3096	Nursultan.exe	45215434532.exe
PID 3096 wrote to memory of 424	3096	Nursultan.exe	45215434532.exe
PID 3096 wrote to memory of 2012	3096	Nursultan.exe	Nursultan.exe
PID 3096 wrote to memory of 2012	3096	Nursultan.exe	Nursultan.exe
PID 3096 wrote to memory of 1716	3096	Nursultan.exe	Stealeerrrl.exe
PID 3096 wrote to memory of 1716	3096	Nursultan.exe	Stealeerrrl.exe
PID 2012 wrote to memory of 2144	2012	Nursultan.exe	45215434532.exe
PID 2012 wrote to memory of 2144	2012	Nursultan.exe	45215434532.exe
PID 2012 wrote to memory of 416	2012	Nursultan.exe	Nursultan.exe
PID 2012 wrote to memory of 416	2012	Nursultan.exe	Nursultan.exe
PID 2012 wrote to memory of 1404	2012	Nursultan.exe	Stealeerrrl.exe
PID 2012 wrote to memory of 1404	2012	Nursultan.exe	Stealeerrrl.exe
PID 416 wrote to memory of 4852	416	Nursultan.exe	45215434532.exe
PID 416 wrote to memory of 4852	416	Nursultan.exe	45215434532.exe
PID 4552 wrote to memory of 3056	4552	Stealeerrrl.exe	attrib.exe
PID 4552 wrote to memory of 3056	4552	Stealeerrrl.exe	attrib.exe
PID 4552 wrote to memory of 2948	4552	Stealeerrrl.exe	Conhost.exe
PID 4552 wrote to memory of 2948	4552	Stealeerrrl.exe	Conhost.exe
PID 416 wrote to memory of 1188	416	Nursultan.exe	Nursultan.exe
PID 416 wrote to memory of 1188	416	Nursultan.exe	Nursultan.exe
PID 416 wrote to memory of 3508	416	Nursultan.exe	Stealeerrrl.exe
PID 416 wrote to memory of 3508	416	Nursultan.exe	Stealeerrrl.exe
PID 1188 wrote to memory of 4660	1188	Nursultan.exe	45215434532.exe
PID 1188 wrote to memory of 4660	1188	Nursultan.exe	45215434532.exe
PID 1884 wrote to memory of 3400	1884	sdfc.exe	powershell.exe
PID 1884 wrote to memory of 3400	1884	sdfc.exe	powershell.exe
PID 1188 wrote to memory of 4368	1188	Nursultan.exe	Nursultan.exe
PID 1188 wrote to memory of 4368	1188	Nursultan.exe	Nursultan.exe
PID 1188 wrote to memory of 3764	1188	Nursultan.exe	Stealeerrrl.exe
PID 1188 wrote to memory of 3764	1188	Nursultan.exe	Stealeerrrl.exe
PID 4552 wrote to memory of 2812	4552	Stealeerrrl.exe	powershell.exe
PID 4552 wrote to memory of 2812	4552	Stealeerrrl.exe	powershell.exe
PID 4368 wrote to memory of 1436	4368	Nursultan.exe	45215434532.exe
PID 4368 wrote to memory of 1436	4368	Nursultan.exe	45215434532.exe
PID 1884 wrote to memory of 3444	1884	sdfc.exe	powershell.exe
PID 1884 wrote to memory of 3444	1884	sdfc.exe	powershell.exe
PID 4368 wrote to memory of 4028	4368	Nursultan.exe	Nursultan.exe
PID 4368 wrote to memory of 4028	4368	Nursultan.exe	Nursultan.exe
PID 4368 wrote to memory of 2600	4368	Nursultan.exe	Stealeerrrl.exe
PID 4368 wrote to memory of 2600	4368	Nursultan.exe	Stealeerrrl.exe
PID 4028 wrote to memory of 4452	4028	Nursultan.exe	45215434532.exe
PID 4028 wrote to memory of 4452	4028	Nursultan.exe	45215434532.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3056 attrib.exe

pid	process
3056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Roaming\SHACTUAL.exe
  "C:\Users\Admin\AppData\Roaming\SHACTUAL.exe"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
  "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
    3⤵
    - Views/modifies file attributes
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4864
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:984
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3596
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe" && pause
    3⤵
    PID:1680
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4324
- C:\Users\Admin\AppData\Roaming\Nursultan.exe
  "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Roaming\45215434532.exe
    "C:\Users\Admin\AppData\Roaming\45215434532.exe"
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Users\Admin\AppData\Roaming\Nursultan.exe
    "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Roaming\45215434532.exe
      "C:\Users\Admin\AppData\Roaming\45215434532.exe"
      4⤵
      Executes dropped EXE
      PID:2148
  - - C:\Users\Admin\AppData\Roaming\Nursultan.exe
      "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Users\Admin\AppData\Roaming\45215434532.exe
        
        "C:\Users\Admin\AppData\Roaming\45215434532.exe"
        5⤵
        Executes dropped EXE
        
        PID:424
    - - C:\Users\Admin\AppData\Roaming\Nursultan.exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Users\Admin\AppData\Roaming\45215434532.exe
        
        "C:\Users\Admin\AppData\Roaming\45215434532.exe"
        6⤵
        Executes dropped EXE
        
        PID:2144
      - C:\Users\Admin\AppData\Roaming\Nursultan.exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Users\Admin\AppData\Roaming\45215434532.exe
        
        "C:\Users\Admin\AppData\Roaming\45215434532.exe"
        7⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Users\Admin\AppData\Roaming\Nursultan.exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\45215434532.exe
        
        "C:\Users\Admin\AppData\Roaming\45215434532.exe"
        8⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\Nursultan.exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\45215434532.exe
        
        "C:\Users\Admin\AppData\Roaming\45215434532.exe"
        9⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Nursultan.exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\45215434532.exe
        
        "C:\Users\Admin\AppData\Roaming\45215434532.exe"
        10⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\Nursultan.exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
        10⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
        
        "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
        10⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
        
        "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
        9⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
        
        "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
        8⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
        
        "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
        7⤵
        Executes dropped EXE
        
        PID:3508
      - C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
        
        "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
        6⤵
        Executes dropped EXE
        
        PID:1404
    - - C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
        
        "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
        5⤵
        Executes dropped EXE
        
        PID:1716
  - - C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
      "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
      4⤵
      Executes dropped EXE
      PID:2704
- - C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe
    "C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe"
    3⤵
    - Executes dropped EXE
    PID:2412
- C:\Users\Admin\AppData\Roaming\sdfc.exe
  "C:\Users\Admin\AppData\Roaming\sdfc.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sdfc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sdfc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Antimalware Service Executable.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Antimalware Service Executable" /tr "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2948

C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe
"C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1944

C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe
"C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.exe"
1⤵
- Executes dropped EXE
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\45215434532.exe.log

Filesize
871B

MD5
bc4e798e428bf600621ffa361da29e88

SHA1
60c6bbe3f8dd34346f4b917d540bf23d7e388d0c

SHA256
e581886635b44fab5f83b1267283d3718cfd5b1663c888bd43723d3735d13d61

SHA512
f311add74aea7f96f9face313710328846f49131c97568ee556bd31447036c29c08e6953394fe8dcb0fc072bb19dcb6e72dcf26c0519cec26056da0e869127c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stealeerrrl.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0a85f07903eaad4aace8865ff28679f

SHA1
caa147464cf2e31bf9b482c3ba3c5c71951566d1

SHA256
c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

SHA512
7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5290e8c2492ea1812a2b7ebb3c70506

SHA1
767dcfe668d580351c8615eb85d0a31f58820d31

SHA256
62d7ba496f7f8ef79daabebfef56fcf21e7bbaac3a75121bde26401a6a1664ff

SHA512
f3bfe19c0d66df393c8925f17ab5054d7c6f940a17252f682fae7211c39f3b1e9d5c10bea17b060534d23822d00f3daf3eac42b803ca6f525f1850a24619d937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00b5dac0faabd946e46411c68c4e4b54

SHA1
ebffe4f7312c6a3ea1a5bfb8e36e3716b73a71de

SHA256
ba0bccd5b683d96eda6d4000424147e0dddaa1e6c87dd65566721f4552397133

SHA512
25a291425f8ac169440d5a6250b2eae67261d599bd35aa3e02c742deed5aedea7d4e88910947116068759e3b8cb5fd82c29b6360d86b663fc536b09bd69ac9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yr2tb3ff.zhw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\45215434532.exe

Filesize
289KB

MD5
2fbb066a05c1ef9460e97aaedbe0e45e

SHA1
d5d26c284cea1437decf880c20a39b16e7e6a63a

SHA256
ab4cecb9a0cff2c60bcac17ce47d47c1f322e27668ebc446825c6882472bb01d

SHA512
22ba0f92821aef8c395cddc3ffee007541fafa3f797f2b2dd1695b3f42cf7423ed1f3eadd522213f62533ee7d43087e96047d6e44dd5f2ea9fa4afc157b7af9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.lnk

Filesize
888B

MD5
11b9efcdfb3533481ed88f33c2f9354d

SHA1
8d61d5792f5e068a9ebf11028d24240e9f71a710

SHA256
d83e5357c29935a09cf1e41028d26f6f27cdaf84b681d6153ce811affa1d0c8b

SHA512
944d4afbff27b71527a7b7b013667228a5b913955115ca3da9240d65d227a768b3fff36a358e897216ccb9fa18df76a533ed9ade535a0073f2fdebb4f312b261

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan.exe

Filesize
19.0MB

MD5
f139956e3513372dfedb48be8c5f20d2

SHA1
10f96e4db74379253e344ab946cd0277b9e3399b

SHA256
c8953cfb225aee2562f4488207d03aa8d64a742ab9a8685cf68c7df9b3fced43

SHA512
1057fb10d053f5c98fc379ee01bd01f9771fe8cd085c735e61ad58a07d4184454814eb46172ca934cdb4f26f998cb9826d2dcefed4bf64efbc55445bf7555858

Download Submit
C:\Users\Admin\AppData\Roaming\SHACTUAL.exe

Filesize
286KB

MD5
172102632622276b14db160162216da2

SHA1
d43e5499a72085f8f088b8cdec03d0e2e848354b

SHA256
db2780fbfa5ef72359db0a4eaa4d49a2ba08b628820803d10e87d1942f5f242d

SHA512
29a62c255304d04d8d7b96bb66e9dca58365b56f73ec64dbcba9bec15af3e771fc856db7328918d9ede81dbfa5d5e7b5157d3366833c1cf5ff0cc3ffe57c9686

Download Submit
C:\Users\Admin\AppData\Roaming\Stealeerrrl.exe

Filesize
227KB

MD5
0c5a658e2dd610701dfdda4af941cedf

SHA1
d90c4f66c708206b2d62e84923ea5746f2aa37ff

SHA256
3c40b379fa1a86269b0f31473a95917e2d940a0ad11c95f0209518d4e32afc60

SHA512
557a1d3fdf5c77bbe97b7d1eabb09ddcf44387c17ee22506ec0e2e47a20814a4f067ed225384b40244e013b79866034b0efb1b3f890cde68f940132e10714091

Download Submit
C:\Users\Admin\AppData\Roaming\sdfc.exe

Filesize
61KB

MD5
114dc24354f0c5ed1c34c1e21abc72fd

SHA1
e311f13272546541bcb93454367c1f958deba7e1

SHA256
c36165bdc7f50ae6366f31fcda7d96b4eb2ec4bfc91f4a75d1347eb74c599a3f

SHA512
23ca2599c8f08c7690a2e7edc5835c72ac2b985b0c40a33abee4e6cd8e87ef1604d26087f69f91606f2842bbb3ef593733727a56964e49d00cb2e57422f25e96

Download Submit
memory/972-66-0x0000000000490000-0x00000000004DC000-memory.dmp

Filesize
304KB

Download
memory/1228-54-0x00000000009E0000-0x0000000001CDC000-memory.dmp

Filesize
19.0MB

Download
memory/1884-53-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/2216-0-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp

Filesize
8KB

Download
memory/2216-1-0x0000000000540000-0x000000000190C000-memory.dmp

Filesize
19.8MB

Download
memory/2948-134-0x00000169FBE30000-0x00000169FBE52000-memory.dmp

Filesize
136KB

Download
memory/3012-49-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/3012-22-0x00000000007A0000-0x00000000007EC000-memory.dmp

Filesize
304KB

Download
memory/3012-26-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/3948-299-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-298-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-292-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-297-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-300-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-301-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-303-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-302-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-291-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/3948-293-0x000002894FB80000-0x000002894FB81000-memory.dmp

Filesize
4KB

Download
memory/4552-27-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/4552-287-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/4552-284-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/4552-265-0x0000021620B10000-0x0000021620B1A000-memory.dmp

Filesize
40KB

Download
memory/4552-266-0x0000021620B60000-0x0000021620B72000-memory.dmp

Filesize
72KB

Download
memory/4552-25-0x00000216065A0000-0x00000216065E0000-memory.dmp

Filesize
256KB

Download
memory/4552-207-0x0000021620DF0000-0x0000021620E66000-memory.dmp

Filesize
472KB

Download
memory/4552-210-0x0000021608290000-0x00000216082AE000-memory.dmp

Filesize
120KB

Download
memory/4552-209-0x0000021620AC0000-0x0000021620B10000-memory.dmp

Filesize
320KB

Download