umbral | 87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023584-44.dat	family_umbral
behavioral2/memory/3508-51-0x000002B1E0AC0000-0x000002B1E0B00000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/744-109-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral2/memory/744-109-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables attemping to enumerate video devices using WMI 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023584-44.dat	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral2/memory/3508-51-0x000002B1E0AC0000-0x000002B1E0B00000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing possible sandbox analysis VM names 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023584-44.dat	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
behavioral2/memory/3508-51-0x000002B1E0AC0000-0x000002B1E0B00000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames

Detects executables containing possible sandbox analysis VM usernames 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023584-44.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/3508-51-0x000002B1E0AC0000-0x000002B1E0B00000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Detects executables containing possible sandbox system UUIDs 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023584-44.dat	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
behavioral2/memory/3508-51-0x000002B1E0AC0000-0x000002B1E0B00000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023586-67.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/4608-82-0x0000000000AF0000-0x0000000000CD8000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral2/memory/4220-346-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-350-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-352-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-351-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-349-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-347-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-345-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-343-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-344-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-342-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-353-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4220-363-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/4220-346-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-350-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-352-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-351-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-349-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-347-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-353-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4220-363-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1868	powershell.exe
1944	powershell.exe
4272	powershell.exe
4928	powershell.exe
3384	powershell.exe
2144	powershell.exe
3628	powershell.exe
1584	powershell.exe
3536	powershell.exe
4796	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000a000000023586-67.dat	net_reactor
behavioral2/memory/4608-82-0x0000000000AF0000-0x0000000000CD8000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	Nursultan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	MSBuild.exe

Executes dropped EXE 7 IoCs

pid	Process
4896	Nursultan Setup.exe
3508	Запустить Nursultan.exe
4608	Nursultan.exe
2040	CrackLauncher.exe
2332	jqvljmboayxs.exe
2408	svchost.exe
5108	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4220-341-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-346-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-350-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-352-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-351-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-349-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-347-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-345-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-343-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-344-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-342-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-353-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4220-363-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	MSBuild.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4924	powercfg.exe
2844	powercfg.exe
1988	powercfg.exe
3560	powercfg.exe
3552	powercfg.exe
1448	powercfg.exe
1872	powercfg.exe
2756	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Nursultan Setup.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	jqvljmboayxs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4608 set thread context of 744	4608	Nursultan.exe	109
PID 2332 set thread context of 4536	2332	jqvljmboayxs.exe	191
PID 2332 set thread context of 4220	2332	jqvljmboayxs.exe	196

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2952	sc.exe
1408	sc.exe
392	sc.exe
1668	sc.exe
4728	sc.exe
1820	sc.exe
5032	sc.exe
4720	sc.exe
2580	sc.exe
1320	sc.exe
2336	sc.exe
2980	sc.exe
4364	sc.exe
3464	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2104	wmic.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\shell\open	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\shell	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1448	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3628	powershell.exe
3628	powershell.exe
1584	powershell.exe
1584	powershell.exe
3536	powershell.exe
3536	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
1292	powershell.exe
1292	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
4896	Nursultan Setup.exe
744	MSBuild.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
4896	Nursultan Setup.exe
2332	jqvljmboayxs.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe
2332	jqvljmboayxs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	3508	Запустить Nursultan.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	744	MSBuild.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: 36	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	wmic.exe
Token: SeSecurityPrivilege	2588	wmic.exe
Token: SeTakeOwnershipPrivilege	2588	wmic.exe
Token: SeLoadDriverPrivilege	2588	wmic.exe
Token: SeSystemProfilePrivilege	2588	wmic.exe
Token: SeSystemtimePrivilege	2588	wmic.exe
Token: SeProfSingleProcessPrivilege	2588	wmic.exe
Token: SeIncBasePriorityPrivilege	2588	wmic.exe
Token: SeCreatePagefilePrivilege	2588	wmic.exe
Token: SeBackupPrivilege	2588	wmic.exe
Token: SeRestorePrivilege	2588	wmic.exe
Token: SeShutdownPrivilege	2588	wmic.exe
Token: SeDebugPrivilege	2588	wmic.exe
Token: SeSystemEnvironmentPrivilege	2588	wmic.exe
Token: SeRemoteShutdownPrivilege	2588	wmic.exe
Token: SeUndockPrivilege	2588	wmic.exe
Token: SeManageVolumePrivilege	2588	wmic.exe
Token: 33	2588	wmic.exe
Token: 34	2588	wmic.exe
Token: 35	2588	wmic.exe
Token: 36	2588	wmic.exe
Token: SeIncreaseQuotaPrivilege	3632	wmic.exe
Token: SeSecurityPrivilege	3632	wmic.exe
Token: SeTakeOwnershipPrivilege	3632	wmic.exe
Token: SeLoadDriverPrivilege	3632	wmic.exe
Token: SeSystemProfilePrivilege	3632	wmic.exe
Token: SeSystemtimePrivilege	3632	wmic.exe
Token: SeProfSingleProcessPrivilege	3632	wmic.exe
Token: SeIncBasePriorityPrivilege	3632	wmic.exe
Token: SeCreatePagefilePrivilege	3632	wmic.exe
Token: SeBackupPrivilege	3632	wmic.exe
Token: SeRestorePrivilege	3632	wmic.exe
Token: SeShutdownPrivilege	3632	wmic.exe
Token: SeDebugPrivilege	3632	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
744	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 3628	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	87
PID 1828 wrote to memory of 3628	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	87
PID 1828 wrote to memory of 4896	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	89
PID 1828 wrote to memory of 4896	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	89
PID 1828 wrote to memory of 1584	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	90
PID 1828 wrote to memory of 1584	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	90
PID 1828 wrote to memory of 3508	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	94
PID 1828 wrote to memory of 3508	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	94
PID 1828 wrote to memory of 3536	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	95
PID 1828 wrote to memory of 3536	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	95
PID 1828 wrote to memory of 4608	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	98
PID 1828 wrote to memory of 4608	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	98
PID 1828 wrote to memory of 4608	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	98
PID 3508 wrote to memory of 4220	3508	Запустить Nursultan.exe	99
PID 3508 wrote to memory of 4220	3508	Запустить Nursultan.exe	99
PID 1828 wrote to memory of 2040	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	101
PID 1828 wrote to memory of 2040	1828	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	101
PID 3508 wrote to memory of 4796	3508	Запустить Nursultan.exe	104
PID 3508 wrote to memory of 4796	3508	Запустить Nursultan.exe	104
PID 2040 wrote to memory of 3020	2040	CrackLauncher.exe	106
PID 2040 wrote to memory of 3020	2040	CrackLauncher.exe	106
PID 3508 wrote to memory of 4488	3508	Запустить Nursultan.exe	107
PID 3508 wrote to memory of 4488	3508	Запустить Nursultan.exe	107
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 4608 wrote to memory of 744	4608	Nursultan.exe	109
PID 3508 wrote to memory of 3868	3508	Запустить Nursultan.exe	110
PID 3508 wrote to memory of 3868	3508	Запустить Nursultan.exe	110
PID 3508 wrote to memory of 1292	3508	Запустить Nursultan.exe	112
PID 3508 wrote to memory of 1292	3508	Запустить Nursultan.exe	112
PID 3508 wrote to memory of 2588	3508	Запустить Nursultan.exe	114
PID 3508 wrote to memory of 2588	3508	Запустить Nursultan.exe	114
PID 3508 wrote to memory of 3632	3508	Запустить Nursultan.exe	117
PID 3508 wrote to memory of 3632	3508	Запустить Nursultan.exe	117
PID 3508 wrote to memory of 3336	3508	Запустить Nursultan.exe	119
PID 3508 wrote to memory of 3336	3508	Запустить Nursultan.exe	119
PID 3508 wrote to memory of 5092	3508	Запустить Nursultan.exe	121
PID 3508 wrote to memory of 5092	3508	Запустить Nursultan.exe	121
PID 3508 wrote to memory of 2104	3508	Запустить Nursultan.exe	123
PID 3508 wrote to memory of 2104	3508	Запустить Nursultan.exe	123
PID 3508 wrote to memory of 2528	3508	Запустить Nursultan.exe	125
PID 3508 wrote to memory of 2528	3508	Запустить Nursultan.exe	125
PID 744 wrote to memory of 4928	744	MSBuild.exe	127
PID 744 wrote to memory of 4928	744	MSBuild.exe	127
PID 744 wrote to memory of 4928	744	MSBuild.exe	127
PID 2528 wrote to memory of 1448	2528	cmd.exe	129
PID 2528 wrote to memory of 1448	2528	cmd.exe	129
PID 744 wrote to memory of 1868	744	MSBuild.exe	132
PID 744 wrote to memory of 1868	744	MSBuild.exe	132
PID 744 wrote to memory of 1868	744	MSBuild.exe	132
PID 744 wrote to memory of 1944	744	MSBuild.exe	134
PID 744 wrote to memory of 1944	744	MSBuild.exe	134
PID 744 wrote to memory of 1944	744	MSBuild.exe	134
PID 744 wrote to memory of 4272	744	MSBuild.exe	136
PID 744 wrote to memory of 4272	744	MSBuild.exe	136
PID 744 wrote to memory of 4272	744	MSBuild.exe	136
PID 744 wrote to memory of 2300	744	MSBuild.exe	138
PID 744 wrote to memory of 2300	744	MSBuild.exe	138
PID 744 wrote to memory of 2300	744	MSBuild.exe	138

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1872
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1376
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4728
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2980
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2952
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2844
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1988
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3560
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3552
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:4720
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2580
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:4220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5092
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2104
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4272
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2300
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3020

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2332
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2940
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:464
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1408
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1668
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:392
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4924
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4536
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:4220

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
841B

MD5
0efd0cfcc86075d96e951890baf0fa87

SHA1
6e98c66d43aa3f01b2395048e754d69b7386b511

SHA256
ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7

SHA512
4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adb2d5e1a5595365546f2bcd774a5be5

SHA1
b15ab5a08855b1b630197471d7ca7f81df9b8d3e

SHA256
47ea8cc898d4c287d4bbf125ac8f8247e76c9b99e266e4b351948dd0ae05683a

SHA512
fdaa080e169569298012a97de1897e5369aa04650b6c0c29570c88007f7b3d85653dfa86efdc9943c74d37c392fb46c6afc629d31172f4c692539e32d99a1372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ae9c6a04d93b4c896b37c718a3376bd9

SHA1
d2908ec0f67e6753e6e6e5c3cf8f4e0dedd078b4

SHA256
336394bc1f7d705a6c448d73afa81feb506a73124fcc3d1a66c106278cc6a5c6

SHA512
1936beb5cfcee3f92e7eb07abc1f81de45aa2b331e8dbbc10bb7120730a95ee3433de3136ffb9a1f5306c8af002af1a593d38acba375e5eb31129a48b14e1aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6ee93dad6026cd1d46e7c3c0f088eff9

SHA1
e9785ea3ca178050bf2f4f875702925b611c6ab3

SHA256
74cbc653b8c0f61b5ca03ebf4e77f73b885c81f5bea04dc671c3bdc750754b14

SHA512
8c41951e699ae2fb700fdb32fb3166310cf63c090274e5151f40db5ea0b1f3b2487d0d4f58d4cc90b8ef1b030bae687858d73d66107dac7a625f880037c634d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
69c616e3f57e1e1483a9af58346a75d8

SHA1
1a1954de5f69c99a37f819f5a5430cd52afaecf0

SHA256
529b7a6ee3ca4a565b1693b225dfddf3d23d7dfe9d0ad7f121e877cf14166e0c

SHA512
b2e84185eebb613c0fddb0a4de3658ad9d441f1f63dc2dece1035e44c51dd218144b288e016e4334683c26d24f45dcd39f7cdc74ae2b3760612fcdbfd04d37bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
31bfccb189f1cc148776a3a0a7852f86

SHA1
ceafe741dc1476fb1c6c7b40006979ed8d53d4af

SHA256
c95ed201b69c47ac163bc763259e1e69a2a3f18e529cac6e493594f609c836b3

SHA512
2773f6d7fd6dfa26520522f7aafb5f6f7c3a9d16ed812a0951d679cd2e9dc726600b557f53a5e42c2178e14bb9434bc1d862d4444ff0875a6d016401a404ce0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4fc1ceefa94c82f73b7ee478e2920ea3

SHA1
17a031c8d10e316478d85d24ba8a8b5ebfda3149

SHA256
018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb

SHA512
cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

Filesize
102KB

MD5
c137c5f5287d73a94d55bc18df238303

SHA1
95b4b01775bea14feaaa462c98d969eb81696d2c

SHA256
d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

SHA512
ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4lijxdj.ery.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/744-288-0x0000000006990000-0x0000000006A22000-memory.dmp

Filesize
584KB

Download
memory/744-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/744-289-0x0000000006280000-0x000000000628A000-memory.dmp

Filesize
40KB

Download
memory/1828-83-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Filesize
10.8MB

Download
memory/1828-24-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Filesize
10.8MB

Download
memory/1828-0-0x00007FFD407B3000-0x00007FFD407B5000-memory.dmp

Filesize
8KB

Download
memory/1828-1-0x00000000007F0000-0x0000000000AF0000-memory.dmp

Filesize
3.0MB

Download
memory/1868-229-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/1868-227-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/1944-240-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-251-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/2144-328-0x0000017A2EB30000-0x0000017A2EB38000-memory.dmp

Filesize
32KB

Download
memory/2144-326-0x0000017A2E6C0000-0x0000017A2E6CA000-memory.dmp

Filesize
40KB

Download
memory/2144-322-0x0000017A2E910000-0x0000017A2E92C000-memory.dmp

Filesize
112KB

Download
memory/2144-323-0x0000017A2E930000-0x0000017A2E9E5000-memory.dmp

Filesize
724KB

Download
memory/2144-324-0x0000017A2E6B0000-0x0000017A2E6BA000-memory.dmp

Filesize
40KB

Download
memory/2144-325-0x0000017A2EB50000-0x0000017A2EB6C000-memory.dmp

Filesize
112KB

Download
memory/2144-327-0x0000017A2EB70000-0x0000017A2EB8A000-memory.dmp

Filesize
104KB

Download
memory/2144-329-0x0000017A2EB40000-0x0000017A2EB46000-memory.dmp

Filesize
24KB

Download
memory/2144-330-0x0000017A2EB90000-0x0000017A2EB9A000-memory.dmp

Filesize
40KB

Download
memory/2408-356-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/2408-357-0x00000000056D0000-0x00000000056EA000-memory.dmp

Filesize
104KB

Download
memory/2408-358-0x0000000005B60000-0x0000000005CBA000-memory.dmp

Filesize
1.4MB

Download
memory/3508-154-0x000002B1E2830000-0x000002B1E283A000-memory.dmp

Filesize
40KB

Download
memory/3508-155-0x000002B1FB200000-0x000002B1FB212000-memory.dmp

Filesize
72KB

Download
memory/3508-115-0x000002B1FB240000-0x000002B1FB2B6000-memory.dmp

Filesize
472KB

Download
memory/3508-117-0x000002B1FB1E0000-0x000002B1FB1FE000-memory.dmp

Filesize
120KB

Download
memory/3508-51-0x000002B1E0AC0000-0x000002B1E0B00000-memory.dmp

Filesize
256KB

Download
memory/3508-116-0x000002B1FB2C0000-0x000002B1FB310000-memory.dmp

Filesize
320KB

Download
memory/3628-12-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Filesize
10.8MB

Download
memory/3628-17-0x000001E363080000-0x000001E36329C000-memory.dmp

Filesize
2.1MB

Download
memory/3628-18-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Filesize
10.8MB

Download
memory/3628-14-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Filesize
10.8MB

Download
memory/3628-13-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp

Filesize
10.8MB

Download
memory/3628-11-0x000001E3633A0000-0x000001E3633C2000-memory.dmp

Filesize
136KB

Download
memory/4220-351-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-347-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-363-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-353-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-342-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-344-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-343-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-346-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-345-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-350-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-341-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-348-0x000001D852340000-0x000001D852360000-memory.dmp

Filesize
128KB

Download
memory/4220-349-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4220-352-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4272-273-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/4272-271-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/4536-340-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4536-333-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4536-334-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4536-335-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4536-337-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4536-336-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4608-82-0x0000000000AF0000-0x0000000000CD8000-memory.dmp

Filesize
1.9MB

Download
memory/4608-99-0x0000000005F80000-0x0000000006036000-memory.dmp

Filesize
728KB

Download
memory/4608-97-0x00000000064B0000-0x0000000006A54000-memory.dmp

Filesize
5.6MB

Download
memory/4608-95-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/4928-205-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/4928-191-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4928-189-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-209-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/4928-210-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/4928-211-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/4928-212-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/4928-207-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/4928-206-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/4928-204-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/4928-214-0x0000000007900000-0x0000000007908000-memory.dmp

Filesize
32KB

Download
memory/4928-208-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/4928-192-0x0000000006390000-0x00000000063DC000-memory.dmp

Filesize
304KB

Download
memory/4928-193-0x0000000006940000-0x0000000006972000-memory.dmp

Filesize
200KB

Download
memory/4928-194-0x00000000705A0000-0x00000000705EC000-memory.dmp

Filesize
304KB

Download
memory/4928-179-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4928-178-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4928-177-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/4928-176-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/4928-175-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/4928-213-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download