exelastealer | hxxps://mega[.]nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg/folder/hBYgiJxC

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek Audio = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Updater.exe"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5640	powershell.exe

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Pictures\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Camera Roll\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Documents\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Videos\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Desktop\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Pictures\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Saved Pictures\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Music\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Downloads\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Desktop\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Camera Roll\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Saved Pictures\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Documents\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Music\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Videos\desktop.ini	Data-Export-2024-06-10_‮piz.scr
File created	C:\Users\Admin\AppData\Local\Temp\Scorned Files\Downloads\desktop.ini	Data-Export-2024-06-10_‮piz.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
79	discord.com
102	raw.githubusercontent.com
115	discord.com
116	discord.com
174	discord.com
176	raw.githubusercontent.com
227	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ip-api.com
79	api.ipify.org
88	api.ipify.org
352	ip-api.com

Network Service Discovery 1 TTPs 8 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
6968	cmd.exe
4744	ARP.EXE
6528	cmd.exe
4424	ARP.EXE
224	cmd.exe
5944	ARP.EXE
3656	cmd.exe
872	ARP.EXE

Enumerates processes with tasklist 1 TTPs 24 IoCs

persistence privilege_escalation

Process Discovery

T1057

pid	Process
1036	tasklist.exe
1880	tasklist.exe
3320	tasklist.exe
6316	tasklist.exe
2876	tasklist.exe
404	tasklist.exe
124	tasklist.exe
5012	tasklist.exe
5324	tasklist.exe
2492	tasklist.exe
6904	tasklist.exe
7152	tasklist.exe
1020	tasklist.exe
5284	tasklist.exe
5792	tasklist.exe
5824	tasklist.exe
1088	tasklist.exe
2488	tasklist.exe
5456	tasklist.exe
6296	tasklist.exe
4020	tasklist.exe
6412	tasklist.exe
1644	tasklist.exe
236	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4900	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
420	ldap60.bin

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002ac4f-482.dat	upx
behavioral1/memory/3184-486-0x00007FFF2CE00000-0x00007FFF2D3E8000-memory.dmp	upx
behavioral1/files/0x001c00000002ac0d-492.dat	upx
behavioral1/files/0x001900000002ac1b-513.dat	upx
behavioral1/memory/3184-515-0x00007FFF49A60000-0x00007FFF49A6F000-memory.dmp	upx
behavioral1/memory/3184-514-0x00007FFF44AA0000-0x00007FFF44AC4000-memory.dmp	upx
behavioral1/files/0x001900000002ac50-517.dat	upx
behavioral1/files/0x001900000002ac51-527.dat	upx
behavioral1/files/0x001900000002ac1a-529.dat	upx
behavioral1/files/0x001900000002ac45-534.dat	upx
behavioral1/memory/3184-536-0x00007FFF2C530000-0x00007FFF2C8A5000-memory.dmp	upx
behavioral1/memory/3184-535-0x00007FFF2FE10000-0x00007FFF2FEC8000-memory.dmp	upx
behavioral1/files/0x001900000002ac54-544.dat	upx
behavioral1/files/0x001900000002ac56-546.dat	upx
behavioral1/files/0x001900000002ac20-552.dat	upx
behavioral1/files/0x001900000002ac21-550.dat	upx
behavioral1/files/0x001c00000002ac1f-548.dat	upx
behavioral1/memory/3184-553-0x00007FFF2CE00000-0x00007FFF2D3E8000-memory.dmp	upx
behavioral1/memory/3184-563-0x00007FFF2CCC0000-0x00007FFF2CCDE000-memory.dmp	upx
behavioral1/memory/3184-562-0x00007FFF488E0000-0x00007FFF488EA000-memory.dmp	upx
behavioral1/memory/3184-561-0x00007FFF2CCE0000-0x00007FFF2CCF1000-memory.dmp	upx
behavioral1/memory/3184-560-0x00007FFF2CD00000-0x00007FFF2CD4D000-memory.dmp	upx
behavioral1/memory/3184-559-0x00007FFF2CD50000-0x00007FFF2CD69000-memory.dmp	upx
behavioral1/memory/3184-558-0x00007FFF2CDE0000-0x00007FFF2CDF7000-memory.dmp	upx
behavioral1/memory/3184-574-0x00007FFF2CC80000-0x00007FFF2CCB8000-memory.dmp	upx
behavioral1/memory/3184-573-0x00007FFF344A0000-0x00007FFF344B4000-memory.dmp	upx
behavioral1/memory/3184-572-0x00007FFF28A30000-0x00007FFF29125000-memory.dmp	upx
behavioral1/memory/3184-557-0x00007FFF2FDC0000-0x00007FFF2FDE2000-memory.dmp	upx
behavioral1/memory/3184-556-0x00007FFF2C410000-0x00007FFF2C52C000-memory.dmp	upx
behavioral1/memory/3184-555-0x00007FFF2FDF0000-0x00007FFF2FE04000-memory.dmp	upx
behavioral1/memory/3184-554-0x00007FFF344C0000-0x00007FFF344D2000-memory.dmp	upx
behavioral1/files/0x001900000002ac0f-543.dat	upx
behavioral1/files/0x001900000002ac4a-542.dat	upx
behavioral1/memory/3184-541-0x00007FFF444D0000-0x00007FFF444E5000-memory.dmp	upx
behavioral1/files/0x001900000002ac08-538.dat	upx
behavioral1/files/0x001900000002ac14-539.dat	upx
behavioral1/files/0x001900000002ac47-532.dat	upx
behavioral1/memory/3184-531-0x00007FFF38D30000-0x00007FFF38D5E000-memory.dmp	upx
behavioral1/memory/3184-530-0x00007FFF2C8B0000-0x00007FFF2CA23000-memory.dmp	upx
behavioral1/memory/3184-526-0x00007FFF3A260000-0x00007FFF3A283000-memory.dmp	upx
behavioral1/memory/3184-525-0x00007FFF40C50000-0x00007FFF40C7D000-memory.dmp	upx
behavioral1/memory/3184-524-0x00007FFF446E0000-0x00007FFF446F9000-memory.dmp	upx
behavioral1/files/0x001c00000002ac19-523.dat	upx
behavioral1/files/0x001900000002ac12-522.dat	upx
behavioral1/memory/3184-521-0x00007FFF497B0000-0x00007FFF497BD000-memory.dmp	upx
behavioral1/memory/3184-520-0x00007FFF44F30000-0x00007FFF44F49000-memory.dmp	upx
behavioral1/files/0x001900000002ac09-519.dat	upx
behavioral1/files/0x001900000002ac18-516.dat	upx
behavioral1/files/0x001900000002ac15-509.dat	upx
behavioral1/files/0x001c00000002ac13-507.dat	upx
behavioral1/files/0x001900000002ac0e-504.dat	upx
behavioral1/files/0x001900000002ac0c-503.dat	upx
behavioral1/files/0x001900000002ac4b-497.dat	upx
behavioral1/files/0x001900000002ac46-494.dat	upx
behavioral1/memory/3184-608-0x00007FFF44F30000-0x00007FFF44F49000-memory.dmp	upx
behavioral1/memory/3184-742-0x00007FFF3A260000-0x00007FFF3A283000-memory.dmp	upx
behavioral1/memory/3184-743-0x00007FFF2C8B0000-0x00007FFF2CA23000-memory.dmp	upx
behavioral1/memory/3184-782-0x00007FFF487D0000-0x00007FFF487DD000-memory.dmp	upx
behavioral1/memory/3184-781-0x00007FFF2C530000-0x00007FFF2C8A5000-memory.dmp	upx
behavioral1/memory/3184-780-0x00007FFF38D30000-0x00007FFF38D5E000-memory.dmp	upx
behavioral1/memory/3184-802-0x00007FFF2FE10000-0x00007FFF2FEC8000-memory.dmp	upx
behavioral1/memory/3184-1185-0x00007FFF444D0000-0x00007FFF444E5000-memory.dmp	upx
behavioral1/memory/3184-1186-0x00007FFF28A30000-0x00007FFF29125000-memory.dmp	upx
behavioral1/memory/3184-1193-0x00007FFF44AA0000-0x00007FFF44AC4000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1556	sc.exe
3576	sc.exe
4520	sc.exe
1416	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001900000002ac03-434.dat	pyinstaller
behavioral1/files/0x000d00000002ba84-12537.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4544	2164	Process not Found	1736
2316	9044	Process not Found	1752

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoDredge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackFollow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoDredge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoDredge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoDredge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord Nitro - TZ Cracking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoDredge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoDredge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord Nitro - TZ Cracking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
2988	netsh.exe
72	cmd.exe
7152	netsh.exe
6608	cmd.exe
3260	netsh.exe
1952	cmd.exe
4268	netsh.exe
3776	cmd.exe

System Network Connections Discovery 1 TTPs 4 IoCs

Attempt to get a listing of network connections.

System Network Connections Discovery

T1049

pid	Process
232	NETSTAT.EXE
5756	NETSTAT.EXE
6560	NETSTAT.EXE
6120	NETSTAT.EXE

Collects information from the system 1 TTPs 4 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3372	WMIC.exe
680	WMIC.exe
1880	WMIC.exe
3012	WMIC.exe

Detects videocard installed 1 TTPs 5 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
5328	WMIC.exe
2896	WMIC.exe
5232	WMIC.exe
812	WMIC.exe
900	WMIC.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5756	NETSTAT.EXE
6100	ipconfig.exe
6560	NETSTAT.EXE
6724	ipconfig.exe
6120	NETSTAT.EXE
2960	ipconfig.exe
232	NETSTAT.EXE
6184	ipconfig.exe

Gathers system information 1 TTPs 4 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
3640	systeminfo.exe
5348	systeminfo.exe
2984	systeminfo.exe
6236	systeminfo.exe

Kills process with taskkill 35 IoCs

evasion

pid	Process
1684	taskkill.exe
6428	taskkill.exe
3500	taskkill.exe
4916	taskkill.exe
4752	taskkill.exe
464	taskkill.exe
6560	taskkill.exe
4928	taskkill.exe
4412	taskkill.exe
1532	taskkill.exe
5860	taskkill.exe
3548	taskkill.exe
1568	taskkill.exe
5864	taskkill.exe
3540	taskkill.exe
2072	taskkill.exe
2820	taskkill.exe
3980	taskkill.exe
2876	taskkill.exe
6744	taskkill.exe
224	taskkill.exe
1688	taskkill.exe
1996	taskkill.exe
1880	taskkill.exe
1408	taskkill.exe
720	taskkill.exe
2512	taskkill.exe
6520	taskkill.exe
3724	taskkill.exe
3972	taskkill.exe
1992	taskkill.exe
5196	taskkill.exe
720	taskkill.exe
5912	taskkill.exe
4416	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133738500740421329"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 14002e80922b16d365937a46956b92703aca08af0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\ = "0"	TextInputHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "1"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	TextInputHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderType = "Documents"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\ = "0"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	TextInputHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000000000000100000002000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	Process not Found

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
5396	reg.exe
5432	reg.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\!Private Key Gen&Checker Cracked.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Binance Trading Bot 1.8.3.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NinjaGram v7.6.0.8.rar:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\Discord Nitro - TZCracking.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Twitch Follow Bot Tool + 10K Tokens.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\SocialClub Bruteforce by m1st.rar:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\InstaGet Pro 2.0.rar:Zone.Identifier	Process not Found
File opened for modification	C:\Users\Admin\Downloads\CryptoDredge.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\!RPCMiner 2024.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\!Private Key Gen&Checker Cracked (1).zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\!Coinbase Bruteforcer Cracked.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6448	NOTEPAD.EXE

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3008	schtasks.exe
5844	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6028	TextInputHost.exe
6396	vshost.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe
5640	powershell.exe
5640	powershell.exe
5660	powershell.exe
5660	powershell.exe
3364	chrome.exe
3364	chrome.exe
4364	main.exe
4364	main.exe
4816	chrome.exe
4816	chrome.exe
2976	main.exe
2976	main.exe
1164	main.exe
1164	main.exe
4544	chrome.exe
4544	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
3748	main.exe
3748	main.exe
1164	powershell.exe
1164	powershell.exe
6828	chrome.exe
6828	chrome.exe
1164	powershell.exe
6556	powershell.exe
6556	powershell.exe
6556	powershell.exe
2316	chrome.exe
2316	chrome.exe
6256	powershell.exe
6256	powershell.exe
6256	powershell.exe
4668	chrome.exe
4668	chrome.exe
8208	Process not Found
8208	Process not Found
8208	Process not Found
8208	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5524	python.exe
3320	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
6964	7zG.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
4816	chrome.exe
4816	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
6828	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5524	python.exe
2004	MiniSearchHost.exe
6028	TextInputHost.exe
6028	TextInputHost.exe
6028	TextInputHost.exe
5292	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3116	2696	chrome.exe	77
PID 2696 wrote to memory of 3116	2696	chrome.exe	77
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 2960	2696	chrome.exe	78
PID 2696 wrote to memory of 1720	2696	chrome.exe	79
PID 2696 wrote to memory of 1720	2696	chrome.exe	79
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80
PID 2696 wrote to memory of 1376	2696	chrome.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1816	attrib.exe
5428	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg/folder/hBYgiJxC
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff45a1cc40,0x7fff45a1cc4c,0x7fff45a1cc58
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1784,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4580,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5044,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4396,i,6365222781072896922,15728273013809729624,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Drops file in Program Files directory
  PID:2976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D8
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4820

C:\Users\Admin\Downloads\!MultiMiner Cracked V3.0\Cracked by CRAX-it v3.0.1.exe
"C:\Users\Admin\Downloads\!MultiMiner Cracked V3.0\Cracked by CRAX-it v3.0.1.exe"
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
  "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
  2⤵
  - Executes dropped EXE
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
    "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1972
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:3980
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2364
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:4204
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4816
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:4900
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4588
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2696"
      4⤵
      PID:2288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2696
        5⤵
        Kills process with taskkill
        
        PID:3972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3116"
      4⤵
      PID:2948
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3116
        5⤵
        Kills process with taskkill
        
        PID:3980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2960"
      4⤵
      PID:4180
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2960
        5⤵
        Kills process with taskkill
        
        PID:3548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1720"
      4⤵
      PID:2312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1720
        5⤵
        Kills process with taskkill
        
        PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1376"
      4⤵
      PID:4016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1376
        5⤵
        Kills process with taskkill
        
        PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2344"
      4⤵
      PID:3328
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1088
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2344
        5⤵
        Kills process with taskkill
        
        PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1404"
      4⤵
      PID:1116
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1404
        5⤵
        Kills process with taskkill
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3140"
      4⤵
      PID:3736
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3140
        5⤵
        Kills process with taskkill
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2976"
      4⤵
      PID:4996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2976
        5⤵
        Kills process with taskkill
        
        PID:1880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:3744
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3176
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:3528
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2876
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1952
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4752
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:3656
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1992
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3640
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2788
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:3372
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4456
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:2332
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:720
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:3084
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:1988
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:2532
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:3972
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2364
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:1320
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4220
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:5112
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:1568
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:1880
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2960
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:3864
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:872
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:232
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:1556
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4320
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4880
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2812
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1944
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1820,i,460535650799873173,15196686164302454403,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --mojo-platform-channel-handle=2096 --field-trial-handle=1820,i,460535650799873173,15196686164302454403,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "python.exe Crypto\Util\astor.py"
      4⤵
      PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\pyth\python.exe
        
        python.exe Crypto\Util\astor.py
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:5576
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:2084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:1724
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:2548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4296
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:5620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:5548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:5208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5204
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio""
        6⤵
        
        PID:5308
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio"
        7⤵
        Modifies registry key
        
        PID:5396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe" /f"
        6⤵
        
        PID:5436
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5432
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe"
        6⤵
        Views/modifies file attributes
        
        PID:5428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5748
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5356
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1488 --field-trial-handle=1820,i,460535650799873173,15196686164302454403,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3528

C:\Users\Admin\Downloads\!MultiMiner Cracked V3.0\Cracked by CRAX-it v3.0.1.exe
"C:\Users\Admin\Downloads\!MultiMiner Cracked V3.0\Cracked by CRAX-it v3.0.1.exe"
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
  "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
  2⤵
  - Executes dropped EXE
  PID:5876
- - C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
    "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
    3⤵
    - Executes dropped EXE
    PID:6132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2932
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    3⤵
    - Executes dropped EXE
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1416 --field-trial-handle=1880,i,15980690861350373060,4754930688215203646,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --mojo-platform-channel-handle=2088 --field-trial-handle=1880,i,15980690861350373060,4754930688215203646,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=796 --field-trial-handle=1880,i,15980690861350373060,4754930688215203646,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff3383cc40,0x7fff3383cc4c,0x7fff3383cc58
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:3
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1644,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4412 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3464,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3220,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3308,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3260,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5572,i,2725747035484208066,17359139012543136521,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - NTFS ADS
  PID:432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6048

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4848

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6028

C:\Users\Admin\Downloads\!Private Key Gen&Checker Cracked\Cracked by CRAX-it v3.0.1.exe
"C:\Users\Admin\Downloads\!Private Key Gen&Checker Cracked\Cracked by CRAX-it v3.0.1.exe"
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
  "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
  2⤵
  - Executes dropped EXE
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
    "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
    3⤵
    - Executes dropped EXE
    PID:5948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3144
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    3⤵
    - Executes dropped EXE
    PID:7000
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1896,i,2236226348434112723,4498069369712524255,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      PID:7140
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --mojo-platform-channel-handle=2100 --field-trial-handle=1896,i,2236226348434112723,4498069369712524255,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1896,i,2236226348434112723,4498069369712524255,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3383cc40,0x7fff3383cc4c,0x7fff3383cc58
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1632,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3660,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3620,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4916,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4316,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3756,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5480,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:6920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5608,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5676,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4396,i,17811445867407800256,36948506037545485,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - NTFS ADS
  PID:6220

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14623:82:7zEvent13085
1⤵
- Suspicious use of FindShellTrayWindow
PID:6964

C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe
"C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe"
1⤵
- Executes dropped EXE
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:1356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4388
- C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\ProgramData\vshost\vshost.exe
    C:\ProgramData\\vshost\\vshost.exe ,.
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:6396
- - C:\Users\Admin\Desktop\CryptoDredge\api32.dll
    api32.dll
    3⤵
    - Executes dropped EXE
    PID:6072
- - C:\ProgramData\winst\winst.exe
    C:\ProgramData\\winst\\winst.exe St5SOJU31AbOST3LlyHBPZSCYFrHinFQr6AX9iq1FrdVk02j6ZKYepwoFYGIKyX1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6500

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CryptoDredge\RELEASE-NOTES.txt
1⤵
PID:1288

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CryptoDredge\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CryptoDredge\run-chukwa2-herominers.bat" "
1⤵
PID:4720
- C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe
  CryptoDredge -a chukwa2 -o stratum+tcp://sg.turtlecoin.herominers.com:1160 -u TRTLuxAUFEVS4NrLVUb9aMSiQBfvZydrv3zwmUFguxZ7QNXXBrVkYg142mrN1kr3kN7GkxtUyR2nTjXj2JyUQYATCwdQyhWJCm9 -p x
  2⤵
  - Executes dropped EXE
  PID:5144
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:5376
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      Executes dropped EXE
      PID:6256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1136
- - C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4912
  - - C:\Users\Admin\Desktop\CryptoDredge\api32.dll
      api32.dll
      4⤵
      Executes dropped EXE
      PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CryptoDredge\run-nim-icemining.bat" "
1⤵
PID:5944
- C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe
  CryptoDredge -a argon2d-nim -o wss://nimiq.icemining.ca:2053 -u NQ68XM089BE857DEQMT6PAT5PJGQTEBXFSBU -p x
  2⤵
  - Executes dropped EXE
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      Executes dropped EXE
      PID:5080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4528
- - C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6036
  - - C:\Users\Admin\Desktop\CryptoDredge\api32.dll
      api32.dll
      4⤵
      Executes dropped EXE
      PID:5872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\CryptoDredge\run-cnhaven-herominers.bat"
1⤵
PID:6828
- C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe
  CryptoDredge -a cnhaven -o stratum+tcp://sg.haven.herominers.com:1110 -u hvxxx2AjevJAUnwaxpq6MvLwxuhFSB4oH1VrgQDG9m7icsVXmnw1MPYcKRUXzHiMyfcbSaa4D3doUVjXecvABPkJ1EF6vaNyVw -p x
  2⤵
  - Executes dropped EXE
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      Executes dropped EXE
      PID:6304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1964
- - C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7152
  - - C:\Users\Admin\Desktop\CryptoDredge\api32.dll
      api32.dll
      4⤵
      Executes dropped EXE
      PID:2216

C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe
"C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe"
1⤵
- Executes dropped EXE
PID:392
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:6172
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:6612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6564
- C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6252
- - C:\Users\Admin\Desktop\CryptoDredge\api32.dll
    api32.dll
    3⤵
    - Executes dropped EXE
    PID:6668

C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe
"C:\Users\Admin\Desktop\CryptoDredge\CryptoDredge.exe"
1⤵
- Executes dropped EXE
PID:6704
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:6276
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:1320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1960
- C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoDredge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7100
- - C:\Users\Admin\Desktop\CryptoDredge\api32.dll
    api32.dll
    3⤵
    - Executes dropped EXE
    PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3383cc40,0x7fff3383cc4c,0x7fff3383cc58
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:6908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:6528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4696,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5316,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3048,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4632,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:6388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5528,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5532,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5852,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5848,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4456,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4476,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,14875718311893455886,15524636033487128863,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4648

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6720

C:\Users\Admin\Desktop\!RPCMiner 2024\Cracked by CRAX-it v3.0.1.exe
"C:\Users\Admin\Desktop\!RPCMiner 2024\Cracked by CRAX-it v3.0.1.exe"
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
  "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
  2⤵
  - Executes dropped EXE
  PID:6176
- - C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr
    "C:\Users\Admin\AppData\Local\Temp\Data-Export-2024-06-10_‮piz.scr" /S
    3⤵
    - Executes dropped EXE
    PID:6292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:908
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
    3⤵
    - Executes dropped EXE
    PID:6956
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1824,i,9595408164665431046,4451286253245868711,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      PID:6952
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --mojo-platform-channel-handle=2088 --field-trial-handle=1824,i,9595408164665431046,4451286253245868711,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      PID:7136
  - - C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe
      "C:\Users\Admin\AppData\Local\Temp\2hxgf3bgGLBF91tnIY9RVGPdbsy\main.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 --field-trial-handle=1824,i,9595408164665431046,4451286253245868711,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3748

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2962:108:7zEvent8868
1⤵
PID:6844

C:\Users\Admin\Desktop\Binance Trading Bot 1.8.3\Binance Trading Bot 1.8.3.exe
"C:\Users\Admin\Desktop\Binance Trading Bot 1.8.3\Binance Trading Bot 1.8.3.exe"
1⤵
- Executes dropped EXE
PID:3012
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:5200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6452
- C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
  2⤵
  - Executes dropped EXE
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      PID:7012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1136
- - C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
    3⤵
    PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
      4⤵
      PID:3852
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        
        PID:6844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
      "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
      4⤵
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        5⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        5⤵
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        6⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        
        PID:5392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        6⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        7⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        7⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        8⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        9⤵
        
        PID:5868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        8⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        9⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        10⤵
        
        PID:6380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        9⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        10⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        11⤵
        
        PID:6612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        10⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        11⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        12⤵
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        11⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        12⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        13⤵
        
        PID:6476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        12⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        13⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        14⤵
        
        PID:5376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        13⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        14⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        15⤵
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        14⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        15⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        16⤵
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        15⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        16⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        17⤵
        
        PID:6464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        16⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        17⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        18⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        17⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        18⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        19⤵
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        18⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        19⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        20⤵
        
        PID:5984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        19⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        20⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        21⤵
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        22⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        20⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        21⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        22⤵
        
        PID:5540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        23⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        21⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        22⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        23⤵
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        24⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        22⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        23⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        24⤵
        
        PID:1704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        25⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        23⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        24⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        25⤵
        
        PID:5844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        26⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        24⤵
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        25⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        26⤵
        
        PID:588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        27⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        25⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        26⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        27⤵
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        28⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        26⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        27⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        28⤵
        
        PID:6456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        29⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        27⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        28⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        29⤵
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        30⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        28⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        29⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        30⤵
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        31⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        29⤵
        
        PID:200
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        30⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        31⤵
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        32⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        30⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        31⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        32⤵
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        33⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        31⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        32⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        33⤵
        
        PID:6300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        34⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        32⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        33⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        34⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        35⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        33⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        34⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        35⤵
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        36⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        34⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        35⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        36⤵
        
        PID:6148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        37⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        35⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        36⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        37⤵
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        38⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        36⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        37⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        38⤵
        
        PID:3728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        39⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        37⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        38⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        39⤵
        
        PID:6620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        40⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        38⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        39⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        40⤵
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        41⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        39⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        40⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        41⤵
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        42⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        40⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        41⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        42⤵
        
        PID:5440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        43⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        41⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        42⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        43⤵
        
        PID:5484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        44⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        42⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        43⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        44⤵
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        45⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        43⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        44⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        45⤵
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        46⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        44⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        45⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        46⤵
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        47⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        45⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        46⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        47⤵
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        48⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        46⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        47⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        48⤵
        
        PID:6672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        49⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        47⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        48⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        49⤵
        
        PID:916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        50⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        48⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        49⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        50⤵
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        51⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        49⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        50⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        51⤵
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        52⤵
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        52⤵
        
        PID:4664
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        53⤵
        Detects videocard installed
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        52⤵
        
        PID:5232
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        53⤵
        
        PID:5572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        52⤵
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        52⤵
        
        PID:4984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        53⤵
        Enumerates processes with tasklist
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        52⤵
        
        PID:6768
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        53⤵
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        52⤵
        
        PID:3128
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        53⤵
        
        PID:6296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        52⤵
        
        PID:6368
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        53⤵
        Enumerates processes with tasklist
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
        52⤵
        
        PID:6284
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        53⤵
        
        PID:3656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        52⤵
        
        PID:4488
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        52⤵
        
        PID:2812
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        52⤵
        
        PID:6140
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        53⤵
        Enumerates processes with tasklist
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5616"
        52⤵
        
        PID:1816
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5616
        53⤵
        Kills process with taskkill
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1412"
        52⤵
        
        PID:6408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1412
        53⤵
        Kills process with taskkill
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4544"
        52⤵
        
        PID:4924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4544
        53⤵
        Kills process with taskkill
        
        PID:3500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1036"
        52⤵
        
        PID:588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1036
        53⤵
        Kills process with taskkill
        
        PID:5196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 904"
        52⤵
        
        PID:6656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 904
        53⤵
        Kills process with taskkill
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2300"
        52⤵
        
        PID:6448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2300
        53⤵
        Kills process with taskkill
        
        PID:464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2532"
        52⤵
        
        PID:6920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2532
        53⤵
        Kills process with taskkill
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2932"
        52⤵
        
        PID:3492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2932
        53⤵
        Kills process with taskkill
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3704"
        52⤵
        
        PID:5708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3704
        53⤵
        Kills process with taskkill
        
        PID:6560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"
        52⤵
        
        PID:4496
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3604
        53⤵
        Kills process with taskkill
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        52⤵
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        53⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp
        54⤵
        
        PID:240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        52⤵
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        53⤵
        
        PID:5440
        
        C:\Windows\system32\chcp.com
        
        chcp
        54⤵
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        52⤵
        
        PID:2888
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        53⤵
        Enumerates processes with tasklist
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        52⤵
        Clipboard Data
        
        PID:6392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        53⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        52⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3776
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        53⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        52⤵
        Network Service Discovery
        
        PID:6968
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        53⤵
        Gathers system information
        
        PID:5348
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        53⤵
        
        PID:3492
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        53⤵
        Collects information from the system
        
        PID:680
        
        C:\Windows\system32\net.exe
        
        net user
        53⤵
        
        PID:496
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        54⤵
        
        PID:6544
        
        C:\Windows\system32\query.exe
        
        query user
        53⤵
        
        PID:916
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        54⤵
        
        PID:4824
        
        C:\Windows\system32\net.exe
        
        net localgroup
        53⤵
        
        PID:6812
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        54⤵
        
        PID:4736
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        53⤵
        
        PID:6768
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        54⤵
        
        PID:1992
        
        C:\Windows\system32\net.exe
        
        net user guest
        53⤵
        
        PID:6724
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        54⤵
        
        PID:6348
        
        C:\Windows\system32\net.exe
        
        net user administrator
        53⤵
        
        PID:4528
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        54⤵
        
        PID:5680
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        53⤵
        
        PID:1168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        53⤵
        Enumerates processes with tasklist
        
        PID:6316
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        53⤵
        Gathers network information
        
        PID:6184
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        53⤵
        
        PID:6176
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        53⤵
        Network Service Discovery
        
        PID:4744
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        53⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5756
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        53⤵
        Launches sc.exe
        
        PID:3576
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        53⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7012
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        53⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        52⤵
        
        PID:5020
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        53⤵
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        52⤵
        
        PID:6052
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        53⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        50⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        51⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        52⤵
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        53⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        51⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        52⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        53⤵
        
        PID:7100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        54⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        52⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        53⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        54⤵
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        55⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        53⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        54⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        55⤵
        
        PID:6328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        56⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        54⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        55⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        56⤵
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        57⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        55⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        56⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        57⤵
        
        PID:6392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        58⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        56⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        57⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        58⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        59⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        57⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        58⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        59⤵
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        60⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        58⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        59⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        60⤵
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        61⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        59⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        60⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        61⤵
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        62⤵
        
        PID:6836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        62⤵
        
        PID:1644
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        63⤵
        Detects videocard installed
        
        PID:5232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        62⤵
        
        PID:4916
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        63⤵
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        62⤵
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        62⤵
        
        PID:6372
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        63⤵
        Enumerates processes with tasklist
        
        PID:6296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        62⤵
        
        PID:4736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        63⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        62⤵
        
        PID:2436
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        63⤵
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        62⤵
        
        PID:3900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        63⤵
        Enumerates processes with tasklist
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
        62⤵
        
        PID:2580
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        63⤵
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        62⤵
        
        PID:3396
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        63⤵
        Enumerates processes with tasklist
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6828"
        62⤵
        
        PID:4316
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6828
        63⤵
        Kills process with taskkill
        
        PID:5912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3696"
        62⤵
        
        PID:5144
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3696
        63⤵
        Kills process with taskkill
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3500"
        62⤵
        
        PID:6996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3500
        63⤵
        Kills process with taskkill
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3260"
        62⤵
        
        PID:5376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3260
        63⤵
        Kills process with taskkill
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5368"
        62⤵
        
        PID:4480
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5368
        63⤵
        Kills process with taskkill
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1684"
        62⤵
        
        PID:900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1684
        63⤵
        Kills process with taskkill
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6644"
        62⤵
        
        PID:4736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6644
        63⤵
        Kills process with taskkill
        
        PID:6744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4628"
        62⤵
        
        PID:6876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:6512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4628
        63⤵
        Kills process with taskkill
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        62⤵
        
        PID:5844
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        63⤵
        
        PID:5124
        
        C:\Windows\system32\chcp.com
        
        chcp
        64⤵
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        62⤵
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        63⤵
        
        PID:5416
        
        C:\Windows\system32\chcp.com
        
        chcp
        64⤵
        
        PID:428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        62⤵
        
        PID:2884
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        63⤵
        Enumerates processes with tasklist
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        62⤵
        Clipboard Data
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        63⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        62⤵
        Network Service Discovery
        
        PID:6528
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        63⤵
        Gathers system information
        
        PID:2984
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        63⤵
        
        PID:5204
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        63⤵
        Collects information from the system
        
        PID:1880
        
        C:\Windows\system32\net.exe
        
        net user
        63⤵
        
        PID:4220
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        64⤵
        
        PID:492
        
        C:\Windows\system32\query.exe
        
        query user
        63⤵
        
        PID:5368
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        64⤵
        
        PID:1988
        
        C:\Windows\system32\net.exe
        
        net localgroup
        63⤵
        
        PID:6536
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        64⤵
        
        PID:5848
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        63⤵
        
        PID:6236
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        64⤵
        
        PID:7108
        
        C:\Windows\system32\net.exe
        
        net user guest
        63⤵
        
        PID:3516
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        64⤵
        
        PID:6056
        
        C:\Windows\system32\net.exe
        
        net user administrator
        63⤵
        
        PID:6072
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        64⤵
        
        PID:3852
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        63⤵
        
        PID:712
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        63⤵
        Enumerates processes with tasklist
        
        PID:6904
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        63⤵
        Gathers network information
        
        PID:6100
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        63⤵
        
        PID:5264
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        63⤵
        Network Service Discovery
        
        PID:4424
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        63⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:6560
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        63⤵
        Launches sc.exe
        
        PID:4520
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        63⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:496
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        63⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        62⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:72
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        62⤵
        
        PID:5608
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        63⤵
        
        PID:5240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        62⤵
        
        PID:2800
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        63⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        60⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        61⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        62⤵
        
        PID:576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        63⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        61⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        62⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        63⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        64⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        62⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        63⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        64⤵
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        65⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        63⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        64⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        65⤵
        
        PID:916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        66⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        64⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        65⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        66⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        67⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        65⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        66⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        67⤵
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        68⤵
        
        PID:4824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        68⤵
        
        PID:4024
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        69⤵
        Detects videocard installed
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        68⤵
        
        PID:6328
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        69⤵
        
        PID:6768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        68⤵
        
        PID:6220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        68⤵
        
        PID:3724
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        69⤵
        Enumerates processes with tasklist
        
        PID:7152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        68⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5740
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        69⤵
        
        PID:6856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        68⤵
        
        PID:1724
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        69⤵
        
        PID:5516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        68⤵
        
        PID:6832
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        69⤵
        Enumerates processes with tasklist
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
        68⤵
        
        PID:5984
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        69⤵
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        68⤵
        
        PID:5032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        69⤵
        Enumerates processes with tasklist
        
        PID:124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2316"
        68⤵
        
        PID:5292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2316
        69⤵
        Kills process with taskkill
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6812"
        68⤵
        
        PID:4416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6812
        69⤵
        Kills process with taskkill
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2976"
        68⤵
        
        PID:6408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2976
        69⤵
        Kills process with taskkill
        
        PID:1688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1908"
        68⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:6560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1908
        69⤵
        Kills process with taskkill
        
        PID:6428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6496"
        68⤵
        
        PID:4844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6496
        69⤵
        Kills process with taskkill
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5372"
        68⤵
        
        PID:5380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:6220
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5372
        69⤵
        Kills process with taskkill
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 576"
        68⤵
        
        PID:6768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 576
        69⤵
        Kills process with taskkill
        
        PID:6520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 988"
        68⤵
        
        PID:5864
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 988
        69⤵
        Kills process with taskkill
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        68⤵
        
        PID:6016
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        69⤵
        
        PID:5204
        
        C:\Windows\system32\chcp.com
        
        chcp
        70⤵
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        68⤵
        
        PID:4620
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        69⤵
        
        PID:5560
        
        C:\Windows\system32\chcp.com
        
        chcp
        70⤵
        
        PID:6552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        68⤵
        
        PID:6268
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        69⤵
        Enumerates processes with tasklist
        
        PID:6412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        68⤵
        Clipboard Data
        
        PID:6904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        69⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        68⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6608
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        69⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        68⤵
        Network Service Discovery
        
        PID:224
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        69⤵
        Gathers system information
        
        PID:6236
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        69⤵
        
        PID:1136
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        69⤵
        Collects information from the system
        
        PID:3012
        
        C:\Windows\system32\net.exe
        
        net user
        69⤵
        
        PID:5572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        70⤵
        
        PID:4620
        
        C:\Windows\system32\query.exe
        
        query user
        69⤵
        
        PID:5116
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        70⤵
        
        PID:3096
        
        C:\Windows\system32\net.exe
        
        net localgroup
        69⤵
        
        PID:5952
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        70⤵
        
        PID:1132
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        69⤵
        
        PID:6608
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        70⤵
        
        PID:6352
        
        C:\Windows\system32\net.exe
        
        net user guest
        69⤵
        
        PID:5928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        70⤵
        
        PID:4056
        
        C:\Windows\system32\net.exe
        
        net user administrator
        69⤵
        
        PID:1684
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        70⤵
        
        PID:5368
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        69⤵
        
        PID:5512
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        69⤵
        Enumerates processes with tasklist
        
        PID:1644
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        69⤵
        Gathers network information
        
        PID:6724
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        69⤵
        
        PID:1992
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        69⤵
        Network Service Discovery
        
        PID:5944
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        69⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:6120
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        69⤵
        Launches sc.exe
        
        PID:1416
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1824
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        69⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        68⤵
        
        PID:1136
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        69⤵
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        68⤵
        
        PID:3624
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        69⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        66⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        67⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        68⤵
        
        PID:5812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        69⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        67⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        68⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        69⤵
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        70⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        68⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        69⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        70⤵
        
        PID:6268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        71⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        69⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        70⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        71⤵
        
        PID:6776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        72⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        70⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        71⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        72⤵
        
        PID:6152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        73⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        71⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        72⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        73⤵
        
        PID:3412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        74⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        72⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        73⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        74⤵
        
        PID:5840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        75⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        73⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        74⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        75⤵
        
        PID:492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        76⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        74⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        75⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        76⤵
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        77⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        75⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        76⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        77⤵
        
        PID:6264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        78⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        76⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        77⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        78⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        79⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        77⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        78⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        79⤵
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        80⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        78⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        79⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        80⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        81⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        79⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        80⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        81⤵
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        82⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        80⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        81⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        82⤵
        
        PID:6332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        83⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        81⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        82⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        83⤵
        
        PID:5808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        84⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        82⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        83⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        84⤵
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        85⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        83⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        84⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        85⤵
        
        PID:6220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        86⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        84⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        85⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        86⤵
        
        PID:3748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        87⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        85⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        86⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        87⤵
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        88⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        86⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        87⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        88⤵
        
        PID:6492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        89⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        87⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        88⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        89⤵
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        90⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        88⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        89⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        90⤵
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        91⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        89⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        90⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        91⤵
        
        PID:4120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        92⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        90⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        91⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        92⤵
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        93⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        91⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        92⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        93⤵
        
        PID:8100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        94⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        92⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        93⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        94⤵
        
        PID:8592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        95⤵
        
        PID:8616
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        93⤵
        
        PID:8440
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        94⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        95⤵
        
        PID:9084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        96⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        94⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        95⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        96⤵
        
        PID:7572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        97⤵
        
        PID:7648
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        95⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        96⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        97⤵
        
        PID:496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        98⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        96⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        97⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        98⤵
        
        PID:932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        99⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        97⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        98⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        99⤵
        
        PID:8060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        100⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        98⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        99⤵
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        100⤵
        
        PID:8500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        101⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        99⤵
        
        PID:8320
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        100⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        101⤵
        
        PID:8964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        102⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        100⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        101⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        102⤵
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        103⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        101⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        102⤵
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        103⤵
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        104⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        102⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        103⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        104⤵
        
        PID:5872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        105⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        103⤵
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        104⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        105⤵
        
        PID:7176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        106⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        104⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        105⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        106⤵
        
        PID:8524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        107⤵
        
        PID:8496
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        105⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        106⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        107⤵
        
        PID:8936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        108⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        106⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        107⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        108⤵
        
        PID:7420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        109⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        107⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        108⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        109⤵
        
        PID:7388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        110⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        108⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        109⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        110⤵
        
        PID:6384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        111⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        109⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        110⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        111⤵
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        112⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Binance Trading Bot 1.8.3.exe"
        110⤵
        
        PID:7864
        
        C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
        111⤵
        
        PID:7148

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23556:110:7zEvent28187
1⤵
PID:6244

C:\Users\Admin\Desktop\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe
"C:\Users\Admin\Desktop\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6900
- C:\Users\Admin\Desktop\Discord Nitro - TZCracking\database32.cfg
  database32.cfg
  2⤵
  PID:4436

C:\Users\Admin\Desktop\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe
"C:\Users\Admin\Desktop\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4024
- C:\Users\Admin\Desktop\Discord Nitro - TZCracking\database32.cfg
  database32.cfg
  2⤵
  PID:716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:6828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2c33cc40,0x7fff2c33cc4c,0x7fff2c33cc58
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=1688 /prefetch:2
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4480 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3776 /prefetch:8
  2⤵
  PID:6984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:6564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:6556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5224,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4304,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:6644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4328,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,3164053923915185196,7185469363498588826,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:6704

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D8
1⤵
PID:6992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff2aa8cc40,0x7fff2aa8cc4c,0x7fff2aa8cc58
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1712,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:6496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:6980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:6820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4976,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5380,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3516,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5336,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5596,i,15564930454039830629,159440034774761183,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:1380

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2d0acc40,0x7fff2d0acc4c,0x7fff2d0acc58
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:6472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4584,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:6844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3600,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4560,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:6760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4424,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:6300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3536,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5796,i,12616347303764605835,3461263316062752825,262144 --variations-seed-version=20241018-104821.244000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff2d0acc40,0x7fff2d0acc4c,0x7fff2d0acc58
  2⤵
  PID:5004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5336

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap22495:128:7zEvent5801
1⤵
PID:5908

C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\BlackFollow.exe
"C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\BlackFollow.exe"
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    PID:1172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1844
- C:\Users\Admin\AppData\Local\Temp\BlackFollow.exe
  "C:\Users\Admin\AppData\Local\Temp\BlackFollow.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:588
- - C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
    ldap60.bin
    3⤵
    PID:6656
  - - C:\Users\Admin\Desktop\Twitch Follow Bot Tool + 10K Tokens\ldap60.bin
      ldap60.bin
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title BlackFollow ^| BlackLounge ^| Made by Martizio
        5⤵
        
        PID:7556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:7628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:7328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery