xworm | c97add81fe634aac6a0291ebbefc67bc3748966e27cca7fec62e54a54a50abc8

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan Alpha (prem).exe
Size

3.6MB
MD5

9da7ae2451efded063b29e9763aa244c
SHA1

fb8ca87e4858331ea25485312a5d71ba25704cbc
SHA256

a993be0a000fc4fff5b3806da4d35981551c2ed13655a19985e2f1928f869e07
SHA512

370af95e2ef727f05051738d9f878e9b3954f9a95e2d486afc1000bb2619f9105c1078ecfda78e73cc609e87799c7e67bd19afdd1d1a9ea5b781b896f8825c66
SSDEEP

98304:7u7xU6HERA18WXVP46ir0HKNDKx8/0hYC3srW5cXVR:7u7i6HctF6g0HKND0

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

192.121.16.228:8324

Attributes

Install_directory
%AppData%
install_file
NurClient.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001211a-5.dat	family_xworm
behavioral1/memory/2092-7-0x00000000010C0000-0x00000000010D8000-memory.dmp	family_xworm
behavioral1/memory/2864-102-0x0000000000B40000-0x0000000000B58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
816	powershell.exe
2000	powershell.exe
852	powershell.exe
2816	powershell.exe
2820	powershell.exe
1392	powershell.exe
2344	powershell.exe
2952	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurClient.lnk	nur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurClient.lnk	nur.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurClient.lnk	NurClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2092	nur.exe
1972	Nursultan Alpha (prem).exe
2192	Nursultan Alpha (prem).exe
2728	test1w.exe
2756	Nursultan Alpha (prem).exe
2852	skeet.exe
3008	test1w.exe
2612	test1w.exe
2604	Nursultan Alpha (prem).exe
2652	NurClient.exe
2164	skeet.exe
584	skeet.exe
836	NurClient.exe
2112	skeet.exe
2892	NurClient.exe
2952	NurClient.exe
2016	test1w.exe
2920	skeet.exe
2968	Nursultan Alpha (prem).exe
1180	NurClient.exe
596	skeet.exe
1296	skeet.exe
264	skeet.exe
572	NurClient.exe
2244	skeet.exe
2212	test1w.exe
2188	Nursultan Alpha (prem).exe
2156	NurClient.exe
564	skeet.exe
796	skeet.exe
1556	skeet.exe
1588	NurClient.exe
2316	NurClient.exe
1700	skeet.exe
2820	skeet.exe
2644	skeet.exe
2492	test1w.exe
2816	skeet.exe
2844	Nursultan Alpha (prem).exe
1632	NurClient.exe
1248	skeet.exe
2428	NurClient.exe
2888	NurClient.exe
2708	test1w.exe
2060	skeet.exe
1952	skeet.exe
2292	Nursultan Alpha (prem).exe
2148	skeet.exe
2768	skeet.exe
1520	skeet.exe
1664	NurClient.exe
1948	NurClient.exe
2932	skeet.exe
2584	NurClient.exe
2000	test1w.exe
1912	skeet.exe
908	Nursultan Alpha (prem).exe
836	skeet.exe
600	skeet.exe
1596	NurClient.exe
1800	NurClient.exe
2244	skeet.exe
2200	Nursultan Alpha (prem).exe
1540	skeet.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurClient = "C:\\Users\\Admin\\AppData\\Roaming\\NurClient.exe"	nur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurClient = "C:\\Users\\Admin\\AppData\\Roaming\\NurClient.exe"	NurClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2952	powershell.exe
816	powershell.exe
2000	powershell.exe
852	powershell.exe
2092	nur.exe
2816	powershell.exe
2820	powershell.exe
1392	powershell.exe
2344	powershell.exe
2864	NurClient.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	nur.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2864	NurClient.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2092	nur.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2864	NurClient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2092	nur.exe
2864	NurClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2092	2548	Nursultan Alpha (prem).exe	30
PID 2548 wrote to memory of 2092	2548	Nursultan Alpha (prem).exe	30
PID 2548 wrote to memory of 2092	2548	Nursultan Alpha (prem).exe	30
PID 2548 wrote to memory of 1972	2548	Nursultan Alpha (prem).exe	31
PID 2548 wrote to memory of 1972	2548	Nursultan Alpha (prem).exe	31
PID 2548 wrote to memory of 1972	2548	Nursultan Alpha (prem).exe	31
PID 1972 wrote to memory of 2192	1972	Nursultan Alpha (prem).exe	32
PID 1972 wrote to memory of 2192	1972	Nursultan Alpha (prem).exe	32
PID 1972 wrote to memory of 2192	1972	Nursultan Alpha (prem).exe	32
PID 1972 wrote to memory of 2728	1972	Nursultan Alpha (prem).exe	33
PID 1972 wrote to memory of 2728	1972	Nursultan Alpha (prem).exe	33
PID 1972 wrote to memory of 2728	1972	Nursultan Alpha (prem).exe	33
PID 2192 wrote to memory of 2756	2192	Nursultan Alpha (prem).exe	34
PID 2192 wrote to memory of 2756	2192	Nursultan Alpha (prem).exe	34
PID 2192 wrote to memory of 2756	2192	Nursultan Alpha (prem).exe	34
PID 2192 wrote to memory of 3008	2192	Nursultan Alpha (prem).exe	35
PID 2192 wrote to memory of 3008	2192	Nursultan Alpha (prem).exe	35
PID 2192 wrote to memory of 3008	2192	Nursultan Alpha (prem).exe	35
PID 2728 wrote to memory of 2852	2728	test1w.exe	36
PID 2728 wrote to memory of 2852	2728	test1w.exe	36
PID 2728 wrote to memory of 2852	2728	test1w.exe	36
PID 2756 wrote to memory of 2604	2756	Nursultan Alpha (prem).exe	37
PID 2756 wrote to memory of 2604	2756	Nursultan Alpha (prem).exe	37
PID 2756 wrote to memory of 2604	2756	Nursultan Alpha (prem).exe	37
PID 2756 wrote to memory of 2612	2756	Nursultan Alpha (prem).exe	38
PID 2756 wrote to memory of 2612	2756	Nursultan Alpha (prem).exe	38
PID 2756 wrote to memory of 2612	2756	Nursultan Alpha (prem).exe	38
PID 2728 wrote to memory of 2652	2728	test1w.exe	115
PID 2728 wrote to memory of 2652	2728	test1w.exe	115
PID 2728 wrote to memory of 2652	2728	test1w.exe	115
PID 2852 wrote to memory of 2164	2852	skeet.exe	120
PID 2852 wrote to memory of 2164	2852	skeet.exe	120
PID 2852 wrote to memory of 2164	2852	skeet.exe	120
PID 2852 wrote to memory of 836	2852	skeet.exe	87
PID 2852 wrote to memory of 836	2852	skeet.exe	87
PID 2852 wrote to memory of 836	2852	skeet.exe	87
PID 2652 wrote to memory of 584	2652	NurClient.exe	42
PID 2652 wrote to memory of 584	2652	NurClient.exe	42
PID 2652 wrote to memory of 584	2652	NurClient.exe	42
PID 2612 wrote to memory of 2112	2612	test1w.exe	43
PID 2612 wrote to memory of 2112	2612	test1w.exe	43
PID 2612 wrote to memory of 2112	2612	test1w.exe	43
PID 584 wrote to memory of 2920	584	skeet.exe	45
PID 584 wrote to memory of 2920	584	skeet.exe	45
PID 584 wrote to memory of 2920	584	skeet.exe	45
PID 2612 wrote to memory of 2892	2612	test1w.exe	44
PID 2612 wrote to memory of 2892	2612	test1w.exe	44
PID 2612 wrote to memory of 2892	2612	test1w.exe	44
PID 2604 wrote to memory of 2968	2604	Nursultan Alpha (prem).exe	47
PID 2604 wrote to memory of 2968	2604	Nursultan Alpha (prem).exe	47
PID 2604 wrote to memory of 2968	2604	Nursultan Alpha (prem).exe	47
PID 584 wrote to memory of 2952	584	skeet.exe	126
PID 584 wrote to memory of 2952	584	skeet.exe	126
PID 584 wrote to memory of 2952	584	skeet.exe	126
PID 2604 wrote to memory of 2016	2604	Nursultan Alpha (prem).exe	48
PID 2604 wrote to memory of 2016	2604	Nursultan Alpha (prem).exe	48
PID 2604 wrote to memory of 2016	2604	Nursultan Alpha (prem).exe	48
PID 2016 wrote to memory of 1296	2016	test1w.exe	49
PID 2016 wrote to memory of 1296	2016	test1w.exe	49
PID 2016 wrote to memory of 1296	2016	test1w.exe	49
PID 2016 wrote to memory of 1180	2016	test1w.exe	50
PID 2016 wrote to memory of 1180	2016	test1w.exe	50
PID 2016 wrote to memory of 1180	2016	test1w.exe	50
PID 836 wrote to memory of 264	836	NurClient.exe	51

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\nur.exe
  "C:\Users\Admin\AppData\Roaming\nur.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\nur.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nur.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
    "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        6⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        7⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        8⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        9⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        10⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        11⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        12⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        13⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        14⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        15⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        15⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        16⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        16⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        17⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        18⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        19⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        20⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        21⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        22⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        23⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        24⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        24⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        25⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        23⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        24⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        25⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        26⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        26⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        27⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        28⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        28⤵
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        25⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        26⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        22⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        23⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        21⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        22⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        20⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        21⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        19⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        18⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        19⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        14⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        13⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        14⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        15⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        12⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        14⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        13⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        11⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        12⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        13⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        12⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        15⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        15⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        16⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        17⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        18⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        18⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        17⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        18⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        19⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        19⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        20⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        14⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        10⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        11⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        11⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        12⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        9⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        11⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        12⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        14⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        13⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        12⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        8⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        7⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        8⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        8⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        11⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        11⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        11⤵
        Executes dropped EXE
        
        PID:1520
      - C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        7⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        7⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        8⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Executes dropped EXE
        
        PID:1556
    - - C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        6⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        7⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        7⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        8⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Executes dropped EXE
        
        PID:1952
      - C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        6⤵
        Executes dropped EXE
        
        PID:2892
  - - C:\Users\Admin\AppData\Roaming\test1w.exe
      "C:\Users\Admin\AppData\Roaming\test1w.exe"
      4⤵
      Executes dropped EXE
      PID:3008
- - C:\Users\Admin\AppData\Roaming\test1w.exe
    "C:\Users\Admin\AppData\Roaming\test1w.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\skeet.exe
      "C:\Users\Admin\AppData\Roaming\skeet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        5⤵
        Executes dropped EXE
        
        PID:2164
    - - C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        6⤵
        Executes dropped EXE
        
        PID:264
  - - C:\Users\Admin\AppData\Roaming\NurClient.exe
      "C:\Users\Admin\AppData\Roaming\NurClient.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:584
      - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        6⤵
        Executes dropped EXE
        
        PID:2920
      - C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        6⤵
        Executes dropped EXE
        
        PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-384287415-1723505093832264851793369483-1582825164-14268519841182019129-269804922"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1942361847-1656259457-974691715-1328932242-20977772851974483794-1806753244673989076"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60023162139961100-1436093298-11700267781583964974633086892-17476288461116955"
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PSQORTLFJBXGDYBPU3NJ.temp

Filesize
7KB

MD5
0d011f19353225afc3ab8e617b0261ce

SHA1
6e8c5ec269138f9e021272789a36db624c4c96ac

SHA256
8a44ba2a4fc56c7c6a7b055439de33a376789365b0b5145ebccea08b637a0f2f

SHA512
df5f14c0fded71f87bff141cd4d9d9dc7c20d829a91cb58fa9f3a720c5cfc772a88a0be5ac5869d73f00688b88712b4897954119de7f080a0e7f1750d6ca8343

Download Submit
C:\Users\Admin\AppData\Roaming\NurClient.exe

Filesize
157KB

MD5
98198dc506f9038bdb935e06635f8f0c

SHA1
0d6f7f2f0b082c0158a42f96136202337da33c64

SHA256
27c1a6f4ed357879f5d43758d1f596e9c899e2995fc6c7ee1e426e59fb050817

SHA512
c7caa8313899d5f6127b46485428713026ea409604ad6803325123927ccada8528d2709990e813d737466dd23dcb63ac4383dd4b2bec6a9107bd3c637e6a12f5

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe

Filesize
3.5MB

MD5
3972af0b29e3708ed0a24a8228450248

SHA1
544656d4cd451afce236bc8e8b4f138d3b573e7d

SHA256
a54b54c7a1b3a6966b7207aece9d77cdcf48caddd8236fc61060689867ab258f

SHA512
a0b4ca8e728531a9992fec26154260b8cc8d0b380d32e8da3a4f451509640e23d2771ddf4bfe2488c81d4869e7bb648251da3507d98ab3142e48c8e09e7b5dd4

Download Submit
C:\Users\Admin\AppData\Roaming\nur.exe

Filesize
71KB

MD5
162addbe2fd96d0442c7fb4231855279

SHA1
119ab55811b46e949266b393964f6d494d0dc96e

SHA256
780f577c0620f1245217cbefbbd0f94c66b9bd0efb49310204f8b414a293b854

SHA512
8e594992482f15a9d366986b438e598a71d98055aaea87e78abf8b518d76d59524bf80cabf84bba508352ca1022d0a98b01301c91278ff86a47246462d89e605

Download Submit
C:\Users\Admin\AppData\Roaming\skeet.exe

Filesize
147KB

MD5
7967febe5c8d05429d8b86b3f526a7b6

SHA1
87d3d6e07ed6a4fb076a7561ab5f9e9d6064b1e4

SHA256
a1199d6afa00693691e03b3244e970798c128b7f52d78887a9622aabd2ba8303

SHA512
2ccbd355ec7c781abb322ed62ba22671f79080f61a21937d615e2744f6069d5dd31477d7682e7d1c682b1305c9261a20dc68bd06723be18d583d6258acf826a4

Download Submit
C:\Users\Admin\AppData\Roaming\test1w.exe

Filesize
319KB

MD5
ff9321376e90e0ae1478bd12fce85931

SHA1
639cb9225bb206f620e8a258d34032b4197c3440

SHA256
f157f48da00a80bbacecb0a912f2b213cee321c080bd753e1eb871005ada9a74

SHA512
be76d7aa3bc7aa0f9fc0f2128f9c5348ce107419bb6734f09eafdf2ff4ff709692f3d726952f6d9857a6c58766963d2c3e88cc30e2011a1b8011687d092db98f

Download Submit
memory/816-100-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/816-98-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1972-13-0x0000000000CB0000-0x000000000103C000-memory.dmp

Filesize
3.5MB

Download
memory/2092-14-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-130-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-129-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-112-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-7-0x00000000010C0000-0x00000000010D8000-memory.dmp

Filesize
96KB

Download
memory/2548-1-0x0000000000CC0000-0x0000000001060000-memory.dmp

Filesize
3.6MB

Download
memory/2548-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2652-37-0x0000000000FB0000-0x0000000000FDE000-memory.dmp

Filesize
184KB

Download
memory/2728-21-0x0000000001060000-0x00000000010B6000-memory.dmp

Filesize
344KB

Download
memory/2852-31-0x0000000000F50000-0x0000000000F7C000-memory.dmp

Filesize
176KB

Download
memory/2864-102-0x0000000000B40000-0x0000000000B58000-memory.dmp

Filesize
96KB

Download
memory/2952-91-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2952-92-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download