xworm | b09cb3790f8d27dedc636d2bb8532a94fddaf88a9428e17be30b31a3b742b2f2

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

76KB
MD5

eaf8bead81874b59ed1e17761dcda97a
SHA1

c449a6daae2900b66d8490b29793974ccc42adaa
SHA256

b09cb3790f8d27dedc636d2bb8532a94fddaf88a9428e17be30b31a3b742b2f2
SHA512

cdeda053b0fb2e526c943acb95696b5c9e577ea50a7871a5aa30830dc9fd25ede7d826139096c9669a193bbd3dfa0e5b72857c5857f0c1725d91a19184f60be9
SSDEEP

1536:UQFZgCR8ZPMhcNi1ptY8353R6L5ph64yJ3We9Gq:bLRbPR6L5ph6JJ3We99

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

ideas-equation.gl.at.ply.gg:13038

Mutex

Sdytd3eRdcISYTKJ

Attributes

Install_directory
%AppData%
install_file
dawas.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000004e74-14.dat	family_xworm
behavioral1/memory/2440-16-0x0000000000EB0000-0x0000000000EC2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2824	powershell.exe
3052	powershell.exe
596	powershell.exe
1188	powershell.exe
2296	powershell.exe
1256	powershell.exe
1480	powershell.exe
1972	powershell.exe
2344	powershell.exe
2636	powershell.exe
2592	powershell.exe
2440	powershell.exe
2124	powershell.exe
2664	powershell.exe
2180	powershell.exe
1052	powershell.exe
2512	powershell.exe
2720	powershell.exe
2724	powershell.exe
2084	powershell.exe
936	powershell.exe
1648	powershell.exe
1400	powershell.exe
1972	powershell.exe
2204	powershell.exe
1648	powershell.exe
708	powershell.exe
1872	powershell.exe
2656	powershell.exe
840	powershell.exe
2332	powershell.exe
2544	powershell.exe
2652	powershell.exe
2636	powershell.exe
2764	powershell.exe
1644	powershell.exe
1768	powershell.exe
2076	powershell.exe
2956	powershell.exe
1304	powershell.exe
2180	powershell.exe
1064	powershell.exe
1936	powershell.exe
1584	powershell.exe
2632	powershell.exe
1496	powershell.exe
1720	powershell.exe
1664	powershell.exe
1752	powershell.exe
1544	powershell.exe
2848	powershell.exe
2808	powershell.exe
292	powershell.exe
2384	powershell.exe
2488	powershell.exe
2532	powershell.exe
904	powershell.exe
1892	powershell.exe
2180	powershell.exe
2332	powershell.exe
1052	powershell.exe
2932	powershell.exe
2212	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2440	NurikCrack1.16.5.exe
2708	NurikCrack1.16.5.exe
2776	NurikCrack1.16.5.exe
2088	NurikCrack1.16.5.exe
2784	NurikCrack1.16.5.exe
904	NurikCrack1.16.5.exe
2292	NurikCrack1.16.5.exe
2860	NurikCrack1.16.5.exe
2712	NurikCrack1.16.5.exe
2708	NurikCrack1.16.5.exe
2776	NurikCrack1.16.5.exe
2088	NurikCrack1.16.5.exe
2372	NurikCrack1.16.5.exe
1708	NurikCrack1.16.5.exe
2916	NurikCrack1.16.5.exe
2616	NurikCrack1.16.5.exe
1680	NurikCrack1.16.5.exe
2264	NurikCrack1.16.5.exe
1908	NurikCrack1.16.5.exe
1540	NurikCrack1.16.5.exe
1940	NurikCrack1.16.5.exe
2748	NurikCrack1.16.5.exe
2896	NurikCrack1.16.5.exe
1060	NurikCrack1.16.5.exe
2988	NurikCrack1.16.5.exe
908	NurikCrack1.16.5.exe
2368	NurikCrack1.16.5.exe
1664	NurikCrack1.16.5.exe
2512	NurikCrack1.16.5.exe
2752	NurikCrack1.16.5.exe
1484	NurikCrack1.16.5.exe
1356	NurikCrack1.16.5.exe
2252	NurikCrack1.16.5.exe
680	NurikCrack1.16.5.exe
2348	NurikCrack1.16.5.exe
2744	NurikCrack1.16.5.exe
2264	NurikCrack1.16.5.exe
1704	NurikCrack1.16.5.exe
1548	NurikCrack1.16.5.exe
2692	NurikCrack1.16.5.exe
1280	NurikCrack1.16.5.exe
1604	NurikCrack1.16.5.exe
468	NurikCrack1.16.5.exe
1480	NurikCrack1.16.5.exe
1848	NurikCrack1.16.5.exe
2036	NurikCrack1.16.5.exe
3028	NurikCrack1.16.5.exe
2032	NurikCrack1.16.5.exe
2648	NurikCrack1.16.5.exe
2376	NurikCrack1.16.5.exe
2412	NurikCrack1.16.5.exe
2772	NurikCrack1.16.5.exe
2384	NurikCrack1.16.5.exe
536	NurikCrack1.16.5.exe
2868	NurikCrack1.16.5.exe
1640	NurikCrack1.16.5.exe
352	NurikCrack1.16.5.exe
2860	NurikCrack1.16.5.exe
2060	NurikCrack1.16.5.exe
1784	NurikCrack1.16.5.exe
1780	NurikCrack1.16.5.exe
2116	NurikCrack1.16.5.exe
3024	NurikCrack1.16.5.exe
2968	NurikCrack1.16.5.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NurikCrack1.16.5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NurikCrack1.16.5.exe"	CrackLauncher.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
25	ip-api.com
46	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	powershell.exe
2824	powershell.exe
1972	powershell.exe
1060	powershell.exe
2344	powershell.exe
936	powershell.exe
1188	powershell.exe
2296	powershell.exe
2624	powershell.exe
1648	powershell.exe
1752	powershell.exe
1544	powershell.exe
1400	powershell.exe
2180	powershell.exe
2932	powershell.exe
2764	powershell.exe
2848	powershell.exe
1256	powershell.exe
1064	powershell.exe
2808	powershell.exe
1052	powershell.exe
1644	powershell.exe
2532	powershell.exe
2636	powershell.exe
1972	powershell.exe
292	powershell.exe
2044	powershell.exe
2656	powershell.exe
1768	powershell.exe
2592	powershell.exe
1584	powershell.exe
2384	powershell.exe
2332	powershell.exe
2440	powershell.exe
2124	powershell.exe
2212	powershell.exe
1480	powershell.exe
2204	powershell.exe
2392	powershell.exe
1648	powershell.exe
2512	powershell.exe
2076	powershell.exe
708	powershell.exe
2544	powershell.exe
2956	powershell.exe
2632	powershell.exe
2652	powershell.exe
3052	powershell.exe
1496	powershell.exe
1720	powershell.exe
1892	powershell.exe
2720	powershell.exe
2180	powershell.exe
1304	powershell.exe
2636	powershell.exe
2664	powershell.exe
2112	powershell.exe
2488	powershell.exe
1872	powershell.exe
2840	powershell.exe
2332	powershell.exe
2724	powershell.exe
2508	powershell.exe
2268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2440	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2708	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2776	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2088	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2784	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	904	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2292	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2860	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2712	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2708	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2776	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2088	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2372	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1708	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2916	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2616	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1680	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2264	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1908	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1540	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1940	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2748	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2896	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1060	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2988	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	908	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2368	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1664	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2512	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2752	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1484	NurikCrack1.16.5.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1356	NurikCrack1.16.5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2508	3016	CrackLauncher.exe	30
PID 3016 wrote to memory of 2508	3016	CrackLauncher.exe	30
PID 3016 wrote to memory of 2508	3016	CrackLauncher.exe	30
PID 3016 wrote to memory of 1936	3016	CrackLauncher.exe	31
PID 3016 wrote to memory of 1936	3016	CrackLauncher.exe	31
PID 3016 wrote to memory of 1936	3016	CrackLauncher.exe	31
PID 3016 wrote to memory of 2440	3016	CrackLauncher.exe	33
PID 3016 wrote to memory of 2440	3016	CrackLauncher.exe	33
PID 3016 wrote to memory of 2440	3016	CrackLauncher.exe	33
PID 2508 wrote to memory of 2720	2508	CrackLauncher.exe	34
PID 2508 wrote to memory of 2720	2508	CrackLauncher.exe	34
PID 2508 wrote to memory of 2720	2508	CrackLauncher.exe	34
PID 2508 wrote to memory of 2824	2508	CrackLauncher.exe	35
PID 2508 wrote to memory of 2824	2508	CrackLauncher.exe	35
PID 2508 wrote to memory of 2824	2508	CrackLauncher.exe	35
PID 2508 wrote to memory of 2708	2508	CrackLauncher.exe	37
PID 2508 wrote to memory of 2708	2508	CrackLauncher.exe	37
PID 2508 wrote to memory of 2708	2508	CrackLauncher.exe	37
PID 2720 wrote to memory of 1212	2720	CrackLauncher.exe	39
PID 2720 wrote to memory of 1212	2720	CrackLauncher.exe	39
PID 2720 wrote to memory of 1212	2720	CrackLauncher.exe	39
PID 2720 wrote to memory of 1972	2720	CrackLauncher.exe	40
PID 2720 wrote to memory of 1972	2720	CrackLauncher.exe	40
PID 2720 wrote to memory of 1972	2720	CrackLauncher.exe	40
PID 2720 wrote to memory of 2776	2720	CrackLauncher.exe	42
PID 2720 wrote to memory of 2776	2720	CrackLauncher.exe	42
PID 2720 wrote to memory of 2776	2720	CrackLauncher.exe	42
PID 1212 wrote to memory of 2340	1212	CrackLauncher.exe	43
PID 1212 wrote to memory of 2340	1212	CrackLauncher.exe	43
PID 1212 wrote to memory of 2340	1212	CrackLauncher.exe	43
PID 1212 wrote to memory of 1060	1212	CrackLauncher.exe	44
PID 1212 wrote to memory of 1060	1212	CrackLauncher.exe	44
PID 1212 wrote to memory of 1060	1212	CrackLauncher.exe	44
PID 1212 wrote to memory of 2088	1212	CrackLauncher.exe	46
PID 1212 wrote to memory of 2088	1212	CrackLauncher.exe	46
PID 1212 wrote to memory of 2088	1212	CrackLauncher.exe	46
PID 2340 wrote to memory of 2064	2340	CrackLauncher.exe	47
PID 2340 wrote to memory of 2064	2340	CrackLauncher.exe	47
PID 2340 wrote to memory of 2064	2340	CrackLauncher.exe	47
PID 2340 wrote to memory of 2344	2340	CrackLauncher.exe	48
PID 2340 wrote to memory of 2344	2340	CrackLauncher.exe	48
PID 2340 wrote to memory of 2344	2340	CrackLauncher.exe	48
PID 2340 wrote to memory of 2784	2340	CrackLauncher.exe	51
PID 2340 wrote to memory of 2784	2340	CrackLauncher.exe	51
PID 2340 wrote to memory of 2784	2340	CrackLauncher.exe	51
PID 2064 wrote to memory of 1052	2064	CrackLauncher.exe	52
PID 2064 wrote to memory of 1052	2064	CrackLauncher.exe	52
PID 2064 wrote to memory of 1052	2064	CrackLauncher.exe	52
PID 2064 wrote to memory of 936	2064	CrackLauncher.exe	53
PID 2064 wrote to memory of 936	2064	CrackLauncher.exe	53
PID 2064 wrote to memory of 936	2064	CrackLauncher.exe	53
PID 2064 wrote to memory of 904	2064	CrackLauncher.exe	55
PID 2064 wrote to memory of 904	2064	CrackLauncher.exe	55
PID 2064 wrote to memory of 904	2064	CrackLauncher.exe	55
PID 1052 wrote to memory of 2320	1052	CrackLauncher.exe	56
PID 1052 wrote to memory of 2320	1052	CrackLauncher.exe	56
PID 1052 wrote to memory of 2320	1052	CrackLauncher.exe	56
PID 1052 wrote to memory of 1188	1052	CrackLauncher.exe	57
PID 1052 wrote to memory of 1188	1052	CrackLauncher.exe	57
PID 1052 wrote to memory of 1188	1052	CrackLauncher.exe	57
PID 1052 wrote to memory of 2292	1052	CrackLauncher.exe	59
PID 1052 wrote to memory of 2292	1052	CrackLauncher.exe	59
PID 1052 wrote to memory of 2292	1052	CrackLauncher.exe	59
PID 2320 wrote to memory of 1384	2320	CrackLauncher.exe	60

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        7⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        8⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        9⤵
        Adds Run key to start application
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        10⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        11⤵
        Adds Run key to start application
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        12⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        13⤵
        Adds Run key to start application
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        14⤵
        Adds Run key to start application
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        15⤵
        Adds Run key to start application
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        16⤵
        Adds Run key to start application
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        17⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        18⤵
        Adds Run key to start application
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        19⤵
        Adds Run key to start application
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        20⤵
        Adds Run key to start application
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        21⤵
        Adds Run key to start application
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        22⤵
        Adds Run key to start application
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        23⤵
        Adds Run key to start application
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        24⤵
        Adds Run key to start application
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        25⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        26⤵
        Adds Run key to start application
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        27⤵
        Adds Run key to start application
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        28⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        29⤵
        Adds Run key to start application
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        30⤵
        Adds Run key to start application
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        31⤵
        Adds Run key to start application
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        32⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        33⤵
        Adds Run key to start application
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        34⤵
        Adds Run key to start application
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        35⤵
        Adds Run key to start application
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        36⤵
        Adds Run key to start application
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        37⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        38⤵
        Adds Run key to start application
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        39⤵
        Adds Run key to start application
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        40⤵
        Adds Run key to start application
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        41⤵
        Adds Run key to start application
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        42⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        43⤵
        Adds Run key to start application
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        44⤵
        Adds Run key to start application
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        45⤵
        Adds Run key to start application
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        46⤵
        Adds Run key to start application
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        47⤵
        Adds Run key to start application
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        48⤵
        Adds Run key to start application
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        49⤵
        Adds Run key to start application
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        50⤵
        Adds Run key to start application
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        51⤵
        Adds Run key to start application
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        52⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        53⤵
        Adds Run key to start application
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        54⤵
        Adds Run key to start application
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        55⤵
        Adds Run key to start application
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        56⤵
        Adds Run key to start application
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        57⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        58⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        59⤵
        Adds Run key to start application
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        60⤵
        Adds Run key to start application
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        61⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        62⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        63⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        64⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        65⤵
        Adds Run key to start application
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        66⤵
        Adds Run key to start application
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        67⤵
        Adds Run key to start application
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        68⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        69⤵
        Adds Run key to start application
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        70⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        71⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        72⤵
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        72⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        72⤵
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        71⤵
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        70⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        70⤵
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        69⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        68⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        67⤵
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        66⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        65⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        64⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        64⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        63⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        63⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        62⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        62⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        61⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        60⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        60⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        59⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        59⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        58⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        58⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        57⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        56⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        55⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        54⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        53⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        52⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        51⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        50⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        49⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        48⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        47⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        46⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        45⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        44⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        43⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        42⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        41⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        40⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        40⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        39⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        38⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        37⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        36⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        35⤵
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        34⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
      "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
    "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe
  "C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NurikCrack1.16.5.exe

Filesize
44KB

MD5
b738126406c02253ee779ac205d9174e

SHA1
70dc9f77f20777184df051201ab4eb6ae23fdd58

SHA256
b3d74f6ae903c8e60a8bc30315e3cbb5734577c3297ee3df2cd619b16d5884e3

SHA512
c26dac50200e66a9810817ac6a6b56c9a82b5ddb58a018681d7ff486ec0dccb5867349915d583ed9725a793fd707e5e1f5a2b01a2f3d9909e11207747373bfa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9825a6a8984e5202f254dec33a0f5e3d

SHA1
81152730aa150d15615b87cf0a0239b1e204ce2e

SHA256
253baea3b2a6611600b86d7bbff7531671466dd698180201578a6d8e45a060ae

SHA512
d90d66c87d03d9043f485f3eb950a93b0a8319dd39671f94dd05d6c5b8688c49e745306cf94db86ab2906f840b5d0c4d2c95bdd69c2eec10b5ca58d7649fe751

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f822f084660b02b03e3e739bfa698ddc

SHA1
9f45a6b173584411e12011b4a44363f1d53345f9

SHA256
d95f2ce2c92f1a48187c25d50b2c8f35e7706181d727bfcfba2da641c6ac7119

SHA512
c155474143db83d194b46bf7d6633386563a03159ea116d0eabad23bc1428112f4db33b21a8d5bd1ab2f6e1153b228b360ff80a00e688c67ea33a475bc5a4961

Download Submit
memory/1060-38-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1936-8-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download
memory/1936-9-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1972-31-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2440-16-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/2508-25-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-7-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-22-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2824-23-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/3016-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/3016-15-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-6-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download