Analysis
-
max time kernel
450s -
max time network
457s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
03-02-2022 08:37
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
limerat
-
aes_key
blunts
-
antivm
true
-
c2_url
https://pastebin.com/raw/1NRAsuVh
-
delay
3
-
download_payload
false
-
install
true
-
install_name
FortniteAimbotESP.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack.zip family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
-
Contains SnakeBOT related strings 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack.zip snakebot_strings -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 25 IoCs
Processes:
Amazon GC Checker by Sen0a.exeUserOOBE.exedatabase32.libwinsrvhost.exeAmazon Gen.exedatabase32.bindatabase32.bindatabase32.libFortniteAimbotESPcracked.exealocal.cfgEPass To Upass.exeQt5Core.binElite Dups Remover 1.5.exedata.bin_Keyword Scraper v1.exeQt5Core.dllKPortScan3.exedata.libMalwarebytes [Crack.sx].exedata.cfgMD5 Hash Decoder [v2.0].exeldap60.binMinecraft Generator By Zed.exeldap60.libUMT.exepid process 3956 Amazon GC Checker by Sen0a.exe 4368 UserOOBE.exe 5068 database32.lib 4684 winsrvhost.exe 1476 Amazon Gen.exe 1480 database32.bin 1148 database32.bin 640 database32.lib 1836 FortniteAimbotESPcracked.exe 516 alocal.cfg 2380 EPass To Upass.exe 2244 Qt5Core.bin 2612 Elite Dups Remover 1.5.exe 4004 data.bin 3784 _Keyword Scraper v1.exe 2412 Qt5Core.dll 420 KPortScan3.exe 4900 data.lib 2508 Malwarebytes [Crack.sx].exe 3848 data.cfg 4076 MD5 Hash Decoder [v2.0].exe 5000 ldap60.bin 2044 Minecraft Generator By Zed.exe 3252 ldap60.lib 5064 UMT.exe -
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
UserOOBE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UserOOBE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UserOOBE.exe -
Loads dropped DLL 53 IoCs
Processes:
database32.bindatabase32.libdata.libQt5Core.dllldap60.binUMT.exedata.binQt5Core.binpid process 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 1148 database32.bin 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 640 database32.lib 4900 data.lib 4900 data.lib 4900 data.lib 2412 Qt5Core.dll 2412 Qt5Core.dll 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5064 UMT.exe 5064 UMT.exe 4004 data.bin 4004 data.bin 4900 data.lib 4900 data.lib 2244 Qt5Core.bin 2244 Qt5Core.bin 5000 ldap60.bin 5000 ldap60.bin -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack.zip agile_net -
Processes:
resource yara_rule C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\data32.cfg themida C:\ProgramData\UserOOBE\UserOOBE.exe themida C:\ProgramData\UserOOBE\UserOOBE.exe themida behavioral1/memory/4368-126-0x0000000000400000-0x0000000000866000-memory.dmp themida behavioral1/memory/4368-127-0x0000000000400000-0x0000000000866000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
UMT.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run UMT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UMT Start = "C:\\ProgramData\\NSGMFX\\UMT.exe" UMT.exe -
Processes:
UserOOBE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UserOOBE.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
UserOOBE.exepid process 4368 UserOOBE.exe -
Drops file in Windows directory 4 IoCs
Processes:
SearchUI.exeShellExperienceHost.exeexplorer.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\1361672858.pri SearchUI.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2701812693.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri explorer.exe -
Detects Pyinstaller 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\database32.lib pyinstaller C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\database32.lib pyinstaller C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.bin pyinstaller C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.bin pyinstaller C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.bin pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
chrome.exeSearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Modifies registry class 11 IoCs
Processes:
explorer.exechrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000003000000020000000100000000000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0200000004000000030000000100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeldap60.binUMT.exepid process 3620 chrome.exe 3620 chrome.exe 4116 chrome.exe 4116 chrome.exe 1076 chrome.exe 1076 chrome.exe 2148 chrome.exe 2148 chrome.exe 4996 chrome.exe 4996 chrome.exe 3876 chrome.exe 3876 chrome.exe 3876 chrome.exe 3876 chrome.exe 5064 chrome.exe 5064 chrome.exe 2632 chrome.exe 2632 chrome.exe 3064 chrome.exe 3064 chrome.exe 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5000 ldap60.bin 5064 UMT.exe 5064 UMT.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
chrome.exepid process 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
7zG.exeexplorer.exedescription pid process Token: SeRestorePrivilege 4884 7zG.exe Token: 35 4884 7zG.exe Token: SeSecurityPrivilege 4884 7zG.exe Token: SeSecurityPrivilege 4884 7zG.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeCreatePagefilePrivilege 1544 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe -
Suspicious use of SendNotifyMessage 38 IoCs
Processes:
chrome.exeexplorer.exepid process 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 4116 chrome.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
data.libldap60.binSearchUI.exeShellExperienceHost.exeUMT.exepid process 4900 data.lib 5000 ldap60.bin 3720 SearchUI.exe 1328 ShellExperienceHost.exe 1328 ShellExperienceHost.exe 5064 UMT.exe 5064 UMT.exe 5064 UMT.exe 5064 UMT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4116 wrote to memory of 4120 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4120 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3708 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3620 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 3620 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe PID 4116 wrote to memory of 4052 4116 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://gofile.io/d/ifZLuM1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb70ee4f50,0x7ffb70ee4f60,0x7ffb70ee4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6028 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,6672573409207444617,325828785303805677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\" -spe -an -ai#7zMap31420:156:7zEvent215961⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\Amazon GC Checker by Sen0a.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\Amazon GC Checker by Sen0a.exe"1⤵
- Executes dropped EXE
-
C:\ProgramData\UserOOBE\UserOOBE.exeC:\ProgramData\\UserOOBE\\UserOOBE.exe ,.2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\database32.libdatabase32.lib2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\database32.libdatabase32.lib3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con: cols=120 lines=304⤵
-
C:\Windows\system32\mode.commode con: cols=120 lines=305⤵
-
C:\ProgramData\winsrvhost\winsrvhost.exeC:\ProgramData\\winsrvhost\\winsrvhost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\Amazon Gen.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\Amazon Gen.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.bindatabase32.bin2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.bindatabase32.bin3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\FortniteAimbotESP Cracked\FortniteAimbotESPcracked.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\FortniteAimbotESP Cracked\alocal.cfgalocal.cfg2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\FortniteAimbotESP.exe'"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FortniteAimbotESP.exe"C:\Users\Admin\AppData\Local\Temp\FortniteAimbotESP.exe"3⤵
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\EmailPass To Userpass\EPass To Upass.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\EmailPass To Userpass\EPass To Upass.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\EmailPass To Userpass\Qt5Core.binQt5Core.bin2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Dupe Remover\Elite Dups Remover 1.5.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Dupe Remover\Elite Dups Remover 1.5.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Dupe Remover\data.bindata.bin2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Keyword Scraper - by xRisky\_Keyword Scraper v1.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Keyword Scraper - by xRisky\_Keyword Scraper v1.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Keyword Scraper - by xRisky\Qt5Core.dllQt5Core.dll2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\KPortScan 3.0\KPortScan3.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\KPortScan 3.0\KPortScan3.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\KPortScan 3.0\data.libdata.lib2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Malwarebytes [Crack.sx]\Malwarebytes [Crack.sx].exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Malwarebytes [Crack.sx]\Malwarebytes [Crack.sx].exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Malwarebytes [Crack.sx]\data.cfgdata.cfg2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\MD5 Hash Decoder [v2.0]\MD5 Hash Decoder [v2.0].exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\MD5 Hash Decoder [v2.0]\MD5 Hash Decoder [v2.0].exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\MD5 Hash Decoder [v2.0]\ldap60.binldap60.bin2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Minecraft Generator By Zed\Minecraft Generator By Zed.exe"C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Minecraft Generator By Zed\Minecraft Generator By Zed.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Minecraft Generator By Zed\ldap60.libldap60.lib2⤵
- Executes dropped EXE
-
C:\ProgramData\NSGMFX\UMT.exe"C:\ProgramData\NSGMFX\UMT.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\6c833cff1d8f44ff8a0299eb3d93bbb3 /t 4984 /p 18761⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UserOOBE\UserOOBE.exeMD5
a45d72861c04aed5572d07cc35b23e75
SHA11939ee9056721ac184fc2257c2076c89e843b822
SHA256fcaaafe25027d1a1611df258626527c35b01fb82c19f5d9648c7b7562f1d95da
SHA5122ecd805fd512913df33e9b411b1dcc5ba74e9b44fb6fdab2894a8e37de00ee3725e32be6a2eedd6c6102225b7e73145ec9cfee834b3de86bfcd3ec868f34ab29
-
C:\ProgramData\UserOOBE\UserOOBE.exeMD5
a45d72861c04aed5572d07cc35b23e75
SHA11939ee9056721ac184fc2257c2076c89e843b822
SHA256fcaaafe25027d1a1611df258626527c35b01fb82c19f5d9648c7b7562f1d95da
SHA5122ecd805fd512913df33e9b411b1dcc5ba74e9b44fb6fdab2894a8e37de00ee3725e32be6a2eedd6c6102225b7e73145ec9cfee834b3de86bfcd3ec868f34ab29
-
C:\ProgramData\winsrvhost\winsrvhost.exeMD5
20c523142f15b0120a7dcd6afef1c37c
SHA1cf0adc270f17108c5f83febaba66769ed1b02da3
SHA25603fe6ee0fb2d086f49999e5180453dcd9b7df0d38f4543fb5ccd97a65371f947
SHA51200e171cad808010c197ecf5e098cbbef2d8f5d4fc69af92b5215ea5ffcaec8cfddc46fd4527e164e7befc8ba15ec5c491bf539dc4574cb900209c7d9d5f1ae27
-
C:\ProgramData\winsrvhost\winsrvhost.exeMD5
20c523142f15b0120a7dcd6afef1c37c
SHA1cf0adc270f17108c5f83febaba66769ed1b02da3
SHA25603fe6ee0fb2d086f49999e5180453dcd9b7df0d38f4543fb5ccd97a65371f947
SHA51200e171cad808010c197ecf5e098cbbef2d8f5d4fc69af92b5215ea5ffcaec8cfddc46fd4527e164e7befc8ba15ec5c491bf539dc4574cb900209c7d9d5f1ae27
-
C:\Users\Admin\AppData\Local\Temp\_MEI14802\VCRUNTIME140.dllMD5
a87575e7cf8967e481241f13940ee4f7
SHA1879098b8a353a39e16c79e6479195d43ce98629e
SHA256ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0
-
C:\Users\Admin\AppData\Local\Temp\_MEI14802\_ctypes.pydMD5
41a9708af86ae3ebc358e182f67b0fb2
SHA1accab901e2746f7da03fab8301f81a737b6cc180
SHA2560bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf
SHA512835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843
-
C:\Users\Admin\AppData\Local\Temp\_MEI14802\base_library.zipMD5
ab6d3149a35e6baddf630cdcefe0dab5
SHA144cdb197e8e549a503f6cfcb867a83bf2214d01c
SHA2561d91fa604893531393f83e03e68eb97d2c14c2d957ed33877d2b27b7c30ce059
SHA51228a882e86d92d42ff983b68445cc90431c2b65b7ec3abbffb5585a9750d67b8b52a1361e20d4d80ca4a30b927fe543a2e9c9a65c1846e42a112b511ddc59545a
-
C:\Users\Admin\AppData\Local\Temp\_MEI14802\python3.DLLMD5
c38e9571f33898eb9f3da53dc29b512f
SHA15be348c829b6dfa008d0dd239414ad388e5d7ace
SHA25670596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79
SHA5121704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e
-
C:\Users\Admin\AppData\Local\Temp\_MEI14802\python310.dllMD5
c6c37b848273e2509a7b25abe8bf2410
SHA1b27cfbd31336da1e9b1f90e8f649a27154411d03
SHA256b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8
SHA512222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40
-
C:\Users\Admin\AppData\Local\Temp\_MEI14802\ucrtbase.dllMD5
5b1c91b53ac3c3026d50de8c05aba139
SHA1b9c2d160b1ce856d9904a340362236473a3d559c
SHA256d804ea40eacfc22a5e029b66d6d4f83d81f76a7ead80313b33839253f90af6b7
SHA5128e01056830e65320d684245bf055305e03ef136545efb51aad484a5b1b006f7d534c30b7973da8628f49c31710ae23d3420f941156c941172b97efe9e1ef9a1f
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack.zipMD5
f49ef0b6658440036ef1290a8a4a93c2
SHA161a6b9a9a7a6f277ef8258eb47bb25d2299d5b9f
SHA256d212d98ac141ce9579cdfeec15b6bb1dd4f7ed22d4d46b45396b7461fd3de667
SHA51259901a2f2958486683901c12bfadbd0821c70a66996e56da35b947ba2ac6f56338ce0c676fdc825121cad8e5a27f46a8ace2b1308971167339ca7542f5cadf09
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\Amazon GC Checker by Sen0a.exeMD5
f0dc7ceb074700afbe3521ae560d5eab
SHA11e70a90da14cdf3c16347c19d28ce6e882f1a721
SHA2566759a46583e63b1cb1f51d3fa411b2f4745b7e0571275fd048f480c1bd94fb4f
SHA512778f40cda8c68066c1489b97fbe370d68619189a4ac34f6ed79dec5827b8c19d8f0b0c5630e1ac779437258a685fa0c5e4f1e761728b9b9ef3b43f6fd8595f27
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\Amazon GC Checker by Sen0a.exeMD5
f0dc7ceb074700afbe3521ae560d5eab
SHA11e70a90da14cdf3c16347c19d28ce6e882f1a721
SHA2566759a46583e63b1cb1f51d3fa411b2f4745b7e0571275fd048f480c1bd94fb4f
SHA512778f40cda8c68066c1489b97fbe370d68619189a4ac34f6ed79dec5827b8c19d8f0b0c5630e1ac779437258a685fa0c5e4f1e761728b9b9ef3b43f6fd8595f27
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\concrt140.binMD5
20c523142f15b0120a7dcd6afef1c37c
SHA1cf0adc270f17108c5f83febaba66769ed1b02da3
SHA25603fe6ee0fb2d086f49999e5180453dcd9b7df0d38f4543fb5ccd97a65371f947
SHA51200e171cad808010c197ecf5e098cbbef2d8f5d4fc69af92b5215ea5ffcaec8cfddc46fd4527e164e7befc8ba15ec5c491bf539dc4574cb900209c7d9d5f1ae27
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\data32.cfgMD5
a45d72861c04aed5572d07cc35b23e75
SHA11939ee9056721ac184fc2257c2076c89e843b822
SHA256fcaaafe25027d1a1611df258626527c35b01fb82c19f5d9648c7b7562f1d95da
SHA5122ecd805fd512913df33e9b411b1dcc5ba74e9b44fb6fdab2894a8e37de00ee3725e32be6a2eedd6c6102225b7e73145ec9cfee834b3de86bfcd3ec868f34ab29
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\database32.libMD5
da98fa8d513449fd7099fd4ffce67658
SHA1860c88e32a1236c7ffc408cd648441edc33ec864
SHA2560ff0661173044a63362910004ca54f310c8f6b6dc9fa81f9e3ed7fb88c4adf00
SHA512d7557be604655b4fac773aca02e6f8330630abe547ee5cd9f095304b3de7ec5514dba62ac0c704855a994872a0ad9eadd3b5d6ff23ac85569f3d006d1078ae8a
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon GC Checker By Sen0a\database32.libMD5
da98fa8d513449fd7099fd4ffce67658
SHA1860c88e32a1236c7ffc408cd648441edc33ec864
SHA2560ff0661173044a63362910004ca54f310c8f6b6dc9fa81f9e3ed7fb88c4adf00
SHA512d7557be604655b4fac773aca02e6f8330630abe547ee5cd9f095304b3de7ec5514dba62ac0c704855a994872a0ad9eadd3b5d6ff23ac85569f3d006d1078ae8a
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\Amazon Gen.exeMD5
805be309f925e5b2649ef67412bf8cb9
SHA1bf6f99dff0500ef5982c39760f9400992ca1ee79
SHA256b064441c80a9d0d515a9581ca050a20438774225ee505159a7f5250163955de7
SHA512d917a6826471d112cd93e24bb37dfb3c455b6638b7296076c03279b2d4572cb715259a73ec79e8caf214a2f03c8b8f3d988bb07b6f954cca93fd2caa39f2e0ba
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\Amazon Gen.exeMD5
805be309f925e5b2649ef67412bf8cb9
SHA1bf6f99dff0500ef5982c39760f9400992ca1ee79
SHA256b064441c80a9d0d515a9581ca050a20438774225ee505159a7f5250163955de7
SHA512d917a6826471d112cd93e24bb37dfb3c455b6638b7296076c03279b2d4572cb715259a73ec79e8caf214a2f03c8b8f3d988bb07b6f954cca93fd2caa39f2e0ba
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.binMD5
2582517c97036ad1a37291bca5434f62
SHA1ede9eccf1da5122a04555bac9d3413b637886c85
SHA256d8089e81d2f768a198d23691af979d3d677ee6cca59a58efd1a681e97d1a5889
SHA5124a67fc5ece89a63bbd74858cb43d4933d80134fd6be3dba04cb88795fadcfe91bf9c8a6fc840233df6b3428290781d4fe6008ac515d1d528a2744ba8bcd29724
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.binMD5
2582517c97036ad1a37291bca5434f62
SHA1ede9eccf1da5122a04555bac9d3413b637886c85
SHA256d8089e81d2f768a198d23691af979d3d677ee6cca59a58efd1a681e97d1a5889
SHA5124a67fc5ece89a63bbd74858cb43d4933d80134fd6be3dba04cb88795fadcfe91bf9c8a6fc840233df6b3428290781d4fe6008ac515d1d528a2744ba8bcd29724
-
C:\Users\Admin\Desktop\50-Cracking-Tools-All-The-Tools-You-Need-To-Crack\Amazon Gen By Sleep\database32.binMD5
2582517c97036ad1a37291bca5434f62
SHA1ede9eccf1da5122a04555bac9d3413b637886c85
SHA256d8089e81d2f768a198d23691af979d3d677ee6cca59a58efd1a681e97d1a5889
SHA5124a67fc5ece89a63bbd74858cb43d4933d80134fd6be3dba04cb88795fadcfe91bf9c8a6fc840233df6b3428290781d4fe6008ac515d1d528a2744ba8bcd29724
-
\??\pipe\crashpad_4116_YKYHENLTCREGRDIJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\_MEI14802\VCRUNTIME140.dllMD5
a87575e7cf8967e481241f13940ee4f7
SHA1879098b8a353a39e16c79e6479195d43ce98629e
SHA256ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0
-
\Users\Admin\AppData\Local\Temp\_MEI14802\python3.dllMD5
c38e9571f33898eb9f3da53dc29b512f
SHA15be348c829b6dfa008d0dd239414ad388e5d7ace
SHA25670596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79
SHA5121704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e
-
\Users\Admin\AppData\Local\Temp\_MEI14802\python310.dllMD5
c6c37b848273e2509a7b25abe8bf2410
SHA1b27cfbd31336da1e9b1f90e8f649a27154411d03
SHA256b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8
SHA512222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40
-
\Users\Admin\AppData\Local\Temp\_MEI14802\ucrtbase.dllMD5
5b1c91b53ac3c3026d50de8c05aba139
SHA1b9c2d160b1ce856d9904a340362236473a3d559c
SHA256d804ea40eacfc22a5e029b66d6d4f83d81f76a7ead80313b33839253f90af6b7
SHA5128e01056830e65320d684245bf055305e03ef136545efb51aad484a5b1b006f7d534c30b7973da8628f49c31710ae23d3420f941156c941172b97efe9e1ef9a1f
-
memory/516-144-0x0000000000E50000-0x0000000000E5C000-memory.dmpFilesize
48KB
-
memory/516-173-0x0000000005880000-0x00000000058E6000-memory.dmpFilesize
408KB
-
memory/516-185-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/2244-146-0x0000000000B10000-0x0000000000BC6000-memory.dmpFilesize
728KB
-
memory/2244-154-0x0000000005540000-0x0000000005A3E000-memory.dmpFilesize
5.0MB
-
memory/2244-189-0x0000000005540000-0x0000000005A3E000-memory.dmpFilesize
5.0MB
-
memory/2244-266-0x00000000076A0000-0x00000000076B9000-memory.dmpFilesize
100KB
-
memory/2412-148-0x00000000049B0000-0x0000000004A4C000-memory.dmpFilesize
624KB
-
memory/2412-149-0x0000000004F50000-0x000000000544E000-memory.dmpFilesize
5.0MB
-
memory/2412-150-0x0000000004A50000-0x0000000004AE2000-memory.dmpFilesize
584KB
-
memory/2412-270-0x00000000074B0000-0x00000000074C9000-memory.dmpFilesize
100KB
-
memory/2412-232-0x0000000008AC0000-0x0000000008E10000-memory.dmpFilesize
3.3MB
-
memory/2412-145-0x0000000000060000-0x0000000000106000-memory.dmpFilesize
664KB
-
memory/2412-159-0x00000000058F0000-0x0000000005D8C000-memory.dmpFilesize
4.6MB
-
memory/2412-155-0x00000000023B0000-0x00000000023F1000-memory.dmpFilesize
260KB
-
memory/2412-211-0x00000000023B0000-0x00000000023F1000-memory.dmpFilesize
260KB
-
memory/3124-281-0x0000000001050000-0x0000000001070000-memory.dmpFilesize
128KB
-
memory/4004-153-0x0000000002A30000-0x0000000002B10000-memory.dmpFilesize
896KB
-
memory/4004-157-0x0000000005310000-0x0000000005366000-memory.dmpFilesize
344KB
-
memory/4004-147-0x0000000000650000-0x00000000006F4000-memory.dmpFilesize
656KB
-
memory/4004-264-0x0000000006C90000-0x0000000006CA9000-memory.dmpFilesize
100KB
-
memory/4004-156-0x0000000005270000-0x000000000527A000-memory.dmpFilesize
40KB
-
memory/4004-191-0x0000000002A30000-0x0000000002B10000-memory.dmpFilesize
896KB
-
memory/4368-126-0x0000000000400000-0x0000000000866000-memory.dmpFilesize
4.4MB
-
memory/4368-127-0x0000000000400000-0x0000000000866000-memory.dmpFilesize
4.4MB
-
memory/4368-128-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/5000-186-0x00000000091A0000-0x000000000924A000-memory.dmpFilesize
680KB
-
memory/5000-158-0x0000000007480000-0x000000000758E000-memory.dmpFilesize
1.1MB
-
memory/5000-193-0x0000000004A23000-0x0000000004A25000-memory.dmpFilesize
8KB
-
memory/5000-152-0x0000000004980000-0x00000000049E0000-memory.dmpFilesize
384KB
-
memory/5000-165-0x00000000049E0000-0x0000000004A21000-memory.dmpFilesize
260KB
-
memory/5000-151-0x0000000000160000-0x000000000019E000-memory.dmpFilesize
248KB
-
memory/5000-267-0x000000000B6E0000-0x000000000B6F9000-memory.dmpFilesize
100KB
-
memory/5000-163-0x0000000007D50000-0x0000000007DA4000-memory.dmpFilesize
336KB
-
memory/5064-263-0x00000000025F0000-0x0000000002609000-memory.dmpFilesize
100KB
-
memory/5064-268-0x00000000007B0000-0x00000000008FA000-memory.dmpFilesize
1.3MB