Overview

overview

10

Static

static

3

CrackLauncher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrackLauncher.exe

  • Size

    11.0MB

  • MD5

    6e83abec9f716d835af0218de2e10f5b

  • SHA1

    97c96e13386a6fd72a2e4801275010792148f568

  • SHA256

    1f10504eb52fe1556cee84028237da6eca0a098b271e36de762d055fe45fe832

  • SHA512

    c79404cd329404b23143745123df38af50b7d6c7489b7fb711957ba2ecaf6b91ec1f9f797c889e237e696c5e7ace68eafb10980003f16b3197ecbc648e0cfe54

  • SSDEEP

    196608:V+ilNq4x9N+fLlfsuVWxZPvjeLOHmBE/uiw5/GOvXzguqFN8:VLzt+5VWXjnmBOuiwGak

Score
10/10
44caliberblackguardpersistencespywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1246359551327080458/_RNfMDTj42REcvsGkS0Ec178tWSglm-J1cCUKGG6YvuuI2WRJnUEo_sWP9oDEqJyerTy

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Checks computer location settings 2 TTPs 42 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          4⤵
            PID:3304
        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
          3⤵
          • Executes dropped EXE
          PID:4508
        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
            4⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              5⤵
                PID:1860
            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
              4⤵
              • Executes dropped EXE
              PID:4700
            • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
              "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                5⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2952
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  6⤵
                    PID:4188
                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:2608
                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1628
                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                    6⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1300
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      7⤵
                        PID:436
                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:4548
                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                      6⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:2556
                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                        7⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2160
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c cls
                          8⤵
                            PID:3956
                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:3816
                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                          7⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:3232
                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                            8⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:388
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c cls
                              9⤵
                                PID:2164
                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                              8⤵
                              • Executes dropped EXE
                              PID:4032
                            • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                              "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                              8⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:4700
                              • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                9⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:4368
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c cls
                                  10⤵
                                    PID:1456
                                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                  9⤵
                                  • Executes dropped EXE
                                  PID:2632
                                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                  9⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:348
                                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                    10⤵
                                    • Executes dropped EXE
                                    PID:1252
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c cls
                                      11⤵
                                        PID:4972
                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                      10⤵
                                      • Executes dropped EXE
                                      PID:1568
                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                      10⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      PID:1484
                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                        11⤵
                                        • Executes dropped EXE
                                        PID:3360
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c cls
                                          12⤵
                                            PID:4400
                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                          11⤵
                                          • Executes dropped EXE
                                          PID:3684
                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                          11⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          PID:4332
                                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                            12⤵
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            PID:4372
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c cls
                                              13⤵
                                                PID:2500
                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                              12⤵
                                              • Executes dropped EXE
                                              PID:4032
                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                              12⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              PID:1456
                                              • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                13⤵
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                PID:4608
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c cls
                                                  14⤵
                                                    PID:2192
                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                  13⤵
                                                  • Executes dropped EXE
                                                  PID:4700
                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                  13⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  PID:1752
                                                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                    14⤵
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    PID:4480
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c cls
                                                      15⤵
                                                        PID:4352
                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                      14⤵
                                                      • Executes dropped EXE
                                                      PID:1484
                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                      14⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      PID:4340
                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                        15⤵
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        PID:1612
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c cls
                                                          16⤵
                                                            PID:5184
                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                          15⤵
                                                          • Executes dropped EXE
                                                          PID:4012
                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                          15⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          PID:5176
                                                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                            16⤵
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            PID:5252
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c cls
                                                              17⤵
                                                                PID:5392
                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                              16⤵
                                                              • Executes dropped EXE
                                                              PID:5316
                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                              16⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              PID:5408
                                                              • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                17⤵
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:5468
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                  18⤵
                                                                    PID:5596
                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                  17⤵
                                                                  • Executes dropped EXE
                                                                  PID:5540
                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                  17⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  PID:5620
                                                                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                    18⤵
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    PID:5672
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                      19⤵
                                                                        PID:5800
                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                      18⤵
                                                                      • Executes dropped EXE
                                                                      PID:5744
                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                      18⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      PID:5824
                                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                        19⤵
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        PID:5892
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                          20⤵
                                                                            PID:6016
                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                          19⤵
                                                                          • Executes dropped EXE
                                                                          PID:5960
                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                          19⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          PID:6040
                                                                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                            20⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            PID:6092
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                              21⤵
                                                                                PID:3456
                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                              20⤵
                                                                              • Executes dropped EXE
                                                                              PID:4424
                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                              20⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              PID:4396
                                                                              • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                21⤵
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                PID:5276
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                  22⤵
                                                                                    PID:5240
                                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                  21⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:5388
                                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                  21⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  PID:5416
                                                                                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                    22⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5568
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                      23⤵
                                                                                        PID:5732
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                      22⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:5432
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                      22⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      PID:5740
                                                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                        23⤵
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:5644
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                                          24⤵
                                                                                            PID:6036
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                          23⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:5940
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                          23⤵
                                                                                          • Checks computer location settings
                                                                                          PID:5876
                                                                                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                            24⤵
                                                                                            • Modifies registry class
                                                                                            PID:6128
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                              25⤵
                                                                                                PID:5128
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                              24⤵
                                                                                                PID:3304
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                24⤵
                                                                                                • Checks computer location settings
                                                                                                PID:2944
                                                                                                • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                  25⤵
                                                                                                  • Modifies registry class
                                                                                                  PID:5316
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                    26⤵
                                                                                                      PID:5176
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                    25⤵
                                                                                                      PID:5240
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                      25⤵
                                                                                                      • Checks computer location settings
                                                                                                      PID:3212
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                        26⤵
                                                                                                        • Modifies registry class
                                                                                                        PID:4544
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                                                          27⤵
                                                                                                            PID:1100
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                          26⤵
                                                                                                            PID:5480
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                            26⤵
                                                                                                            • Checks computer location settings
                                                                                                            PID:4680
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                              27⤵
                                                                                                                PID:6012
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                  28⤵
                                                                                                                    PID:5124
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                  27⤵
                                                                                                                    PID:5636
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                    27⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    PID:4424
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                      28⤵
                                                                                                                      • Modifies registry class
                                                                                                                      PID:5128
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                                                                        29⤵
                                                                                                                          PID:1656
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                        28⤵
                                                                                                                          PID:3688
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                          28⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          PID:5268
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                            29⤵
                                                                                                                            • Modifies registry class
                                                                                                                            PID:5340
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                                                              30⤵
                                                                                                                                PID:4188
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                              29⤵
                                                                                                                                PID:1132
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                29⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                PID:5416
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                  30⤵
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:5948
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                                    31⤵
                                                                                                                                      PID:376
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                    30⤵
                                                                                                                                      PID:4828
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                      30⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      PID:5180
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                        31⤵
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:6068
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                                                                                          32⤵
                                                                                                                                            PID:5564
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                          31⤵
                                                                                                                                            PID:2472
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                            31⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            PID:5752
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                              32⤵
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:4924
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                33⤵
                                                                                                                                                  PID:4472
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                32⤵
                                                                                                                                                  PID:5624
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                  32⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  PID:3676
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                    33⤵
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:5228
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                      34⤵
                                                                                                                                                        PID:5600
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                      33⤵
                                                                                                                                                        PID:228
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                        33⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        PID:2364
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                          34⤵
                                                                                                                                                            PID:5736
                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                              35⤵
                                                                                                                                                                PID:3112
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                              34⤵
                                                                                                                                                                PID:3752
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                34⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                PID:4780
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                  35⤵
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:5200
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                    36⤵
                                                                                                                                                                      PID:3428
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                    35⤵
                                                                                                                                                                      PID:5888
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                      35⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      PID:1808
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                        36⤵
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:4828
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                          37⤵
                                                                                                                                                                            PID:400
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                          36⤵
                                                                                                                                                                            PID:4576
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                            36⤵
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            PID:4696
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                              37⤵
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:6072
                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                38⤵
                                                                                                                                                                                  PID:4968
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                37⤵
                                                                                                                                                                                  PID:5984
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                  37⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  PID:4472
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                                    38⤵
                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                    PID:1884
                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                      39⤵
                                                                                                                                                                                        PID:3304
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                      38⤵
                                                                                                                                                                                        PID:4400
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                        38⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        PID:2088
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                                          39⤵
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:2144
                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                            40⤵
                                                                                                                                                                                              PID:2444
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                            39⤵
                                                                                                                                                                                              PID:2556
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                              39⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              PID:4696
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                                                40⤵
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:3856
                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                                  41⤵
                                                                                                                                                                                                    PID:3168
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                                  40⤵
                                                                                                                                                                                                    PID:4132
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                                    40⤵
                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                    PID:1248
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                                                      41⤵
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:4968
                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                                        42⤵
                                                                                                                                                                                                          PID:5416
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                                        41⤵
                                                                                                                                                                                                          PID:3816
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                                          41⤵
                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                          PID:6120
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                                                            42⤵
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:6084
                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                                              43⤵
                                                                                                                                                                                                                PID:3832
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                                              42⤵
                                                                                                                                                                                                                PID:4780
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                                                42⤵
                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                PID:5368
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
                                                                                                                                                                                                                  43⤵
                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                  PID:4960
                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                                                    44⤵
                                                                                                                                                                                                                      PID:5312
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe"
                                                                                                                                                                                                                    43⤵
                                                                                                                                                                                                                      PID:4780
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
                                                                                                                                                                                                                      43⤵
                                                                                                                                                                                                                        PID:2040
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Nursultan Crack.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Nursultan Crack.exe"
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1408
                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
                                                                                                                                      2⤵
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:4428
                                                                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                    1⤵
                                                                                                                                      PID:1344
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4484 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
                                                                                                                                      1⤵
                                                                                                                                        PID:3516

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                      Initial Access

                                                                                                                                      Execution

                                                                                                                                      Persistence

                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                      1
                                                                                                                                      T1547

                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                      1
                                                                                                                                      T1547.001

                                                                                                                                      Privilege Escalation

                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                      1
                                                                                                                                      T1547

                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                      1
                                                                                                                                      T1547.001

                                                                                                                                      Defense Evasion

                                                                                                                                      Modify Registry

                                                                                                                                      1
                                                                                                                                      T1112

                                                                                                                                      Credential Access

                                                                                                                                      Unsecured Credentials

                                                                                                                                      2
                                                                                                                                      T1552

                                                                                                                                      Credentials In Files

                                                                                                                                      2
                                                                                                                                      T1552.001

                                                                                                                                      Discovery

                                                                                                                                      Query Registry

                                                                                                                                      2
                                                                                                                                      T1012

                                                                                                                                      System Information Discovery

                                                                                                                                      3
                                                                                                                                      T1082

                                                                                                                                      Lateral Movement

                                                                                                                                      Collection

                                                                                                                                      Data from Local System

                                                                                                                                      2
                                                                                                                                      T1005

                                                                                                                                      Exfiltration

                                                                                                                                      Command and Control

                                                                                                                                      Impact

                                                                                                                                      Resource Development

                                                                                                                                      Reconnaissance

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\ProgramData\44\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        629B

                                                                                                                                        MD5

                                                                                                                                        ba985e6e06aea52fdfdbf3812506ff00

                                                                                                                                        SHA1

                                                                                                                                        e679c96c472e9110b993d241da7dcd2aa448693d

                                                                                                                                        SHA256

                                                                                                                                        fafc9744bb27409a06a12bf68754024b22efa96a18ca3642b56c0724d514e3d4

                                                                                                                                        SHA512

                                                                                                                                        40575f180696290988d3a4778dbbe61ae28fea46c001d77c31cc6c910a7522084509e8a77f56593be859bf34e9fe8fcd82cbeb8ef51cfe7c93ac2715b41236f7

                                                                                                                                        Download Submit
                                                                                                                                      • C:\ProgramData\44\Process.txt
                                                                                                                                        Filesize

                                                                                                                                        1KB

                                                                                                                                        MD5

                                                                                                                                        de5a03715eb186752c6693767ecdba95

                                                                                                                                        SHA1

                                                                                                                                        65745032ffc8d86612198ea0eed6ff9085eda008

                                                                                                                                        SHA256

                                                                                                                                        fffd8a2452a1382bcd1c7338d5be0a9c6e89693de91589dcb4c9fbcc265878c4

                                                                                                                                        SHA512

                                                                                                                                        3e90da4634dfcc86d1755dd312f6f7ba46c9d5c7cd128f56c46fb86af5f94476cee9b76c12d263b8436878bff5516324817feb6a7de98679f9492d3689e1cbb4

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan Alpha.exe.log
                                                                                                                                        Filesize

                                                                                                                                        443B

                                                                                                                                        MD5

                                                                                                                                        8add56521ef894ef0c66ecd3e989d718

                                                                                                                                        SHA1

                                                                                                                                        2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

                                                                                                                                        SHA256

                                                                                                                                        01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

                                                                                                                                        SHA512

                                                                                                                                        af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.exe.log
                                                                                                                                        Filesize

                                                                                                                                        654B

                                                                                                                                        MD5

                                                                                                                                        2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                        SHA1

                                                                                                                                        684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                        SHA256

                                                                                                                                        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                        SHA512

                                                                                                                                        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
                                                                                                                                        Filesize

                                                                                                                                        102KB

                                                                                                                                        MD5

                                                                                                                                        c137c5f5287d73a94d55bc18df238303

                                                                                                                                        SHA1

                                                                                                                                        95b4b01775bea14feaaa462c98d969eb81696d2c

                                                                                                                                        SHA256

                                                                                                                                        d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

                                                                                                                                        SHA512

                                                                                                                                        ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha.exe
                                                                                                                                        Filesize

                                                                                                                                        370KB

                                                                                                                                        MD5

                                                                                                                                        f5508b96c77974e16222c327d3ab32e0

                                                                                                                                        SHA1

                                                                                                                                        ef46ac8665bdc5ccf271d63ccf737eb403f2ba65

                                                                                                                                        SHA256

                                                                                                                                        3631e8e113e777fa39b6d6c508a333ed6dcf09cd373b8309a38de1d438679c67

                                                                                                                                        SHA512

                                                                                                                                        1102899c73a4117cfd0d76e5bec66b1c230fdd15fdf7fcc360987d33345935ffb9a37cc3b8b5fde9a6c92a744d21a5acc55adfe8ff7fd252e3490516256795bb

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan Crack.exe
                                                                                                                                        Filesize

                                                                                                                                        274KB

                                                                                                                                        MD5

                                                                                                                                        5bbac1e997b7c1abc8b5a29d705fdb3c

                                                                                                                                        SHA1

                                                                                                                                        aeabadf2071d101818a2324005816f64268db8a7

                                                                                                                                        SHA256

                                                                                                                                        1303ded517a6efd0e5f4afdc7131bd41a2d978c9459100d6a7068e7375be7288

                                                                                                                                        SHA512

                                                                                                                                        ed3b4cdc64fb25d102ce52b48cd40f3cc4220eb9f82e219f471ce66aece10b9419a7fcec33982bad8a5503d458682d55b848f5af57541b597c771428a210bb6a

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
                                                                                                                                        Filesize

                                                                                                                                        7.0MB

                                                                                                                                        MD5

                                                                                                                                        7f9d9ef6dbc0b785669ee868cd2bae3e

                                                                                                                                        SHA1

                                                                                                                                        1c393a801a0da9a0d994ce28969283de6c0d6ae2

                                                                                                                                        SHA256

                                                                                                                                        4bce807b3a1d1f09059efa1adf2f99399a146b1c40f5661ba8b96224da1ad3cb

                                                                                                                                        SHA512

                                                                                                                                        2eb7733b00e8b50bf7f3dbd1242cc18ac94b948f874a4f4c2cb8fa678082e797a601ee4e86e218a1514ca08532ab99ad055cd17cf11e8f00b8ff1f717e7d3651

                                                                                                                                        Download Submit
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34lxz12x.enb.ps1
                                                                                                                                        Filesize

                                                                                                                                        60B

                                                                                                                                        MD5

                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                        SHA1

                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                        SHA256

                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                        SHA512

                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                        Download Submit
                                                                                                                                      • memory/1408-124-0x00007FF9E9870000-0x00007FF9EA331000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        10.8MB

                                                                                                                                        Download
                                                                                                                                      • memory/1408-122-0x000001D400F20000-0x000001D400F6A000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        296KB

                                                                                                                                        Download
                                                                                                                                      • memory/1408-294-0x00007FF9E9870000-0x00007FF9EA331000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        10.8MB

                                                                                                                                        Download
                                                                                                                                      • memory/2180-62-0x00007FF9E9873000-0x00007FF9E9875000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        8KB

                                                                                                                                        Download
                                                                                                                                      • memory/2180-111-0x00000000009C0000-0x00000000010C4000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        7.0MB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-295-0x0000000005080000-0x00000000050A2000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        136KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-320-0x0000000005C70000-0x0000000005FC4000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        3.3MB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-274-0x00000000026A0000-0x00000000026D6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        216KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-353-0x0000000008310000-0x000000000898A000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        6.5MB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-308-0x0000000005910000-0x0000000005976000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        408KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-309-0x0000000005980000-0x00000000059E6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        408KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-352-0x00000000076E0000-0x0000000007C84000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        5.6MB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-275-0x0000000005270000-0x0000000005898000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        6.2MB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-333-0x0000000005B70000-0x0000000005B8E000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        120KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-335-0x0000000006110000-0x000000000615C000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        304KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-350-0x0000000006580000-0x000000000659A000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        104KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-349-0x0000000007040000-0x00000000070D6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        600KB

                                                                                                                                        Download
                                                                                                                                      • memory/4428-351-0x00000000065F0000-0x0000000006612000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        136KB

                                                                                                                                        Download
                                                                                                                                      • memory/4508-172-0x0000000000D90000-0x0000000000DF2000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        392KB

                                                                                                                                        Download
                                                                                                                                      • memory/4780-0-0x0000000000400000-0x0000000000F04000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        11.0MB

                                                                                                                                        Download