Analysis
-
max time kernel
66s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
03-03-2024 18:21
General
-
Target
https://cdn.discordapp.com/attachments/1213539495215898745/1213578524061990972/OxyCracks_NL.zip?ex=65f5fc13&is=65e38713&hm=dbf6abb58f3a7a0bff1d75c9df68bb44f0758ad1bc62a2e1db656b5f30887a3a&
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1213552478973333615/HgqZhFkfFc23la94axmDeeor-_w_RVjs_T-hJoCsewm4NGKl8540wNg3DAdr43d0NjoV
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Blocklisted process makes network request 2 IoCs
-
Modifies Windows Firewall 2 TTPs 9 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 16 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1213539495215898745/1213578524061990972/OxyCracks_NL.zip?ex=65f5fc13&is=65e38713&hm=dbf6abb58f3a7a0bff1d75c9df68bb44f0758ad1bc62a2e1db656b5f30887a3a&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa84c246f8,0x7ffa84c24708,0x7ffa84c247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4112 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OxyCracks_NL\" -ad -an -ai#7zMap18645:86:7zEvent72731⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe"C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Oxy.exe"C:\Users\Admin\AppData\Local\Temp\Oxy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\server.exe"C:\Windows\server.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Windows\server.exe"4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe" "CiliBaba.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe" "CiliBaba.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe"C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe"C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Oxy.exe"C:\Users\Admin\AppData\Local\Temp\Oxy.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe"C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte07ed9f1hac4fh49ceh9c57h8a99488618cd1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa84c246f8,0x7ffa84c24708,0x7ffa84c247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17246721196386958682,10051286682976182121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,17246721196386958682,10051286682976182121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,17246721196386958682,10051286682976182121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1929922chfdd2h4554h9020hddeb8f29bfe61⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa84c246f8,0x7ffa84c24708,0x7ffa84c247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8420338342713560174,14849118215576291394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8420338342713560174,14849118215576291394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,8420338342713560174,14849118215576291394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\ProgramData\44\Process.txtFilesize
1KB
MD5e6b846eb64622cd83c66428645c98eae
SHA10f3276269bbe01bb370fbb31226590497bce0b12
SHA256af2cc4fa64df737416eddae6c89b3c44513f8810e044eb5039008d14750d6981
SHA512206500151deae6c6e5446923fb5c1d6f97f44fa89aef149edfa3775dbd7d8798e7a1b9aab8e5d72fcc436c49b030bd0822d60c6e70eb279aa622bb8da6449cfe
-
C:\ProgramData\44\Process.txtFilesize
3KB
MD595bd420c2b374812b3fea7c1a28b026b
SHA1e8aaea7d3ab175b27e8b6db5d5c613c2a5137ced
SHA2566b5bba09284c3e4dbfd48c5a79f55b956891f39c6c52d73d548a130ff243bfe3
SHA512cdebf38da0cc8d809e5cd180a780ff7f6c15948c359c7cdaf438427d69af159f13985ba8df82a6c8278f3280a4454b69350c49fcfe50c04a1adbb3c590ebb464
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD579925d7e65ef04f4c048e1f495918339
SHA16cf9400937403197eb387ff2a53ca84028a7211f
SHA2569fa7601432118379a9fbf44bc3035ae2aa473c385dd7498757d0d0d574e1b49e
SHA512a2b58867870b46b50cc8ade35d78ce4c42efb21db3484bddbc388e0465d3a824da0d03267737e9e111ef0daa53414b9943d20180fa707cbf3043df9d15c5cbf9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD568326d97bc813b347a87685651967f1f
SHA1b304a2a51c5d89fe0b6543b0cdcd2fc257794c93
SHA2569c80201f9533fed040c088a2231a1caa2300b897322ebd9fd1a7ee25d39f71d5
SHA5124ca4aa5ae4168875fb30eaf6c67016219bd99e824c4c435d3f341d9d7f148f615f8f7084758a198ac40b2c57b4d9eba05d4b223a4503b8cb43fc7402c20a4f71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5a6178ce24b22b55df40e6f3182568573
SHA1554697870327467a75f53a9c51e51d7b2de34e40
SHA25696ac14b863f33e8775cf1cb0de90b2978a76da060b69aade380d1d114db82909
SHA5124892b8b60d88cfaa27265306c0ae2d7f10363fa8b171235e85cbffcf7cdd67c0a2d1c646eea19e6020b9af5873341a23b1262bcb1e9914367520312d92425d5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a8347ca6d9cd7458c0436e25f87522dd
SHA1082066812b7424ac77b0b3636e9355eb61dea1ba
SHA2565da884b0c7da56ab04cf4ed686ea0cce3d49fea431e208cc097794a5d552bfef
SHA51276798d144928e209f54e5636ae645b6d12c155c886123c2e30e64e120fadce63b68823dca3d15a1f851d3ba00e759acc86a337de4ff49889141fa864eb6ee4a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5101ddfe45259016c8c432fc150f176f1
SHA19cbf6b21f2749e0ad20fb6c690a11f7eaf80ce7e
SHA256e200b9238cd07a54311c4f35d1292083a939eb95b85c1bacbd2eae0738831bf1
SHA5123c2ab01ef45a47136a721a74702494417ae19d4a7ed964ce2160a5c3105e84c4a1d45518dcdb81d6aca598357b1caa36ca88dcaa2ae243ec3b824798476e29fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59365328082f39a88c245dd20870abefe
SHA1f84325fb125e5d8a79d598d889b8ab7f74fc0ea7
SHA256a1302a87e6c631cc2a049004fdeb26cfe7eee6d5505d6e6f966bc384903fbacd
SHA5128fab73535afd04cb73d8c1ea5ddae43268f29214d2bc303642643d6a02e786441e6138d8bfbd3ddeea52a162dee70531431748e5e5a8f70454f960b4f583408e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b7668fac-6bd8-4ee0-9881-1bf787c549ce.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD55bfa3ceea2854a90f32f93b998876cf3
SHA1653b528f86e59708a51a186e1399c4beca74a2f8
SHA2561d6962b59c186c9eaab9320ea109630b08124fdf919d133a5dc37685feedd899
SHA512614595500fffeeb778e5d95987dad83d63bf1b2435ffbaa38b0d0771924f506736ab7d3380341697f8a9144aec31d75b19aceab8fc1f2714c97b891cc5fdbc61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD57ac038e3083b28b434c2a332b8eb571a
SHA17664e693a8fa0d2edc860eeb1a2ffb53736f7603
SHA2561b965a69b283cbdc49d7bf2a7b5a7a8d3e7ad771d3fdb4f3c9672dd6839fbe6b
SHA512a602a4c37a8aa034bf4f62f68067e8a3ecceec4edab8215003dd64dc5c1853a152c083a18cc318de8bef71bb4f0e1f0a3aa847be88ed7da6768cfeef5b10fa1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5145a982948b76e105452055bc922594e
SHA15406a51cc88216dacec1b41b8b8eea4dcbcda656
SHA256b52578e454556a0a063cc971be0fddee25ddb64871b6e44349853786261780a6
SHA512ad2d5621c5bbe695378e41e2a3e02ce2926f264f2b00c8281583ad01c0fe497f8cd989f6d472205cb960c5fe0e125bb2a73b0990855617a75eaea77e342655b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD57996de2afa644171ec51b51a1629a859
SHA10a35bf2b51ff4e0e8206319ab0390b34656c3a7a
SHA256aa2405c3125d49d05f9906802d76c7a3c0076db67b8cbf145a8d1e8939f609ce
SHA51215de4ad9a595c75b569f4439d5425a70b558362a9aacc5dde83fd6870a08b255d3e43a33f6fb46733657f99e85b83cc92cb2881c05d12164c2ff13ecdae840fc
-
C:\Users\Admin\AppData\Local\Temp\Built.exeFilesize
1.3MB
MD5a6e884cc24bf04ebe764788a4809b480
SHA1a6a8175c619940e908caf5710e2f098c544eb859
SHA25622b7cd4e38d202ba4f3a94e1f9eb035a0d789af23eaad1ee64b46a3c81024a94
SHA5126dbc7b8e8daa16604425abc5e4c817b7e7a85cff4ebbacc2cd9cf68d4cb7eceaea7ac19181c638cb3ac95843712a7ddbf5f2bf40bdebd7060855940d50ba5681
-
C:\Users\Admin\AppData\Local\Temp\Built.exeFilesize
448KB
MD58c2c49657776e9fded65e9882d76c46a
SHA109deaafc0d24f8c5e38274bde5848cbf98451454
SHA2566e1b3c0e8e0d31b2b88f71c5a38802eddbcfe8bc076dcbd310db4ddd4292c845
SHA5122d39ead3a1e1ad260f6cec759e8e98ad95ac6fa629ac8797a8d01c8c00bd304cc6b082bbd2086f077c16b24963b859aa4d0702146fbfbcf07f474040846f375e
-
C:\Users\Admin\AppData\Local\Temp\Built.exeFilesize
896KB
MD53b064ad14e03493986e670f6882d29c0
SHA1b467f5b558bfa1d6d6d4c836f09dc099917565b2
SHA25614a7507b22ce6469407122d551a9f2b5194225ccf4e87a27c3dab7050ab3d6d6
SHA51208d31ca193529980112d60fff9073767d4822371bf0181ec3f5ad4881687b6d7c973b428a1bea41346215a9ceea8d746e7ea084c0a693eeba9485d29bf8ae178
-
C:\Users\Admin\AppData\Local\Temp\Built.exeFilesize
128KB
MD5750df7bde1fa8361cf90faecccacb7ea
SHA15a01dfa63cce8b9d1a0ac9c2231d408643bc4cd6
SHA256c899b71f214123cbd4e987e265cc11f89c34087a46ffbf412b0275a6162b24ae
SHA5121abed685e3e349557adf7e92531119c8abeed7d354bd0b910b3c8b372d7273e348e21f59707ec3779d892cd7c02d9fb3f1f21c13e5cf6b4568c3420e0e36fd9a
-
C:\Users\Admin\AppData\Local\Temp\CiliBaba.exeFilesize
143KB
MD5c8458152f64cd12af8253a942d7a0d96
SHA1004a6eec723c95b35302cb737ef748aca822823f
SHA25660320214411f6f8dc5eb31f2694177190bebe8feccc54fbdafbc6fbe141fd66c
SHA512a6b31c03616f7abb5a572eb22c4dcb9d6fec7ced36dd82f17ec53d4dc72377b7dbe8ad46d8127e21e33f54b76694f399528bc3fe0d203685cc6ab07368ba39ab
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exeFilesize
274KB
MD54a9cb193934224753cb78b155ed433a4
SHA199bd1bf009525469315895c531af64da0292ad43
SHA256bb84b931c5900c04cd9f0e5eb6ad37fe83388b9fdd807e006eb3fc83e9d7f5ab
SHA51258b64c177fb8bd2eae97f22a9c0c7e9db47f316b5ec6d8479f6aa04f4a5b931388d45b7a2514f5d3521ddc3858c2df08668e32eb08ba62526da6e52db1b47034
-
C:\Users\Admin\AppData\Local\Temp\Never Give Up.exeFilesize
149KB
MD5213b9545ebaf4a3579849cc7e27c1e29
SHA1ca629386992d6588aa90df3a41c348495649dee2
SHA2568ae74c33d58231e3d236731e9927c5831425323b04a069176e1d6b377198d8e7
SHA5124b1584adcfdd7848ea4012d586953c08ce403d6c4000d8adfc79161dec0e74f1dd5604e8afe745d596cca7a4812c1933359ddeb58ded70fd723f998d369a20df
-
C:\Users\Admin\AppData\Local\Temp\Oxy.exeFilesize
144KB
MD57290e9bf05676c9dfd2f28ecf4b5782e
SHA1cf332986527dd04a6b723c4d607770cc19f727eb
SHA2566de014d27fdbba57c90d4cd7fb5150a83d4dfa86be0f1f17687aec000e3f4f56
SHA5129676bcb086f9ef76a3dfa4dbe4e20f0bf3ae7a35bdd618ab974374aefc35cafc64014094f51341ad8eefb649b22c52e1a6e76d0fb0984c5b717e5128cf0538d1
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_bz2.pydFilesize
48KB
MD56c57219d7f69eee439d7609ab9cc09e7
SHA152e8abbc41d34aa82388b54b20925ea2fcca2af8
SHA2568e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92
SHA512801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ctypes.pydFilesize
58KB
MD5ee77573f4335614fc1dc05e8753d06d9
SHA19c78e7ce0b93af940749295ec6221f85c04d6b76
SHA25620bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87
SHA512c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_decimal.pydFilesize
106KB
MD5787f57b9a9a4dbc0660041d5542f73e2
SHA1219f2cdb825c7857b071d5f4397f2dbf59f65b32
SHA256d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300
SHA512cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_hashlib.pydFilesize
35KB
MD5ff0042b6074efa09d687af4139b80cff
SHA1e7483e6fa1aab9014b309028e2d31c9780d17f20
SHA256e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce
SHA5120ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_lzma.pydFilesize
86KB
MD558b19076c6dfb4db6aa71b45293f271c
SHA1c178edc7e787e1b485d87d9c4a3ccfeadeb7039e
SHA256eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5
SHA512f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_queue.pydFilesize
25KB
MD5e8f45b0a74ee548265566cbae85bfab8
SHA124492fcd4751c5d822029759dec1297ff31ae54a
SHA25629e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd
SHA5125861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_socket.pydFilesize
43KB
MD56ef6bcbb28b66b312ab7c30b1b78f3f3
SHA1ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539
SHA256203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2
SHA512bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_sqlite3.pydFilesize
56KB
MD5467bcfb26fe70f782ae3d7b1f371e839
SHA10f836eb86056b3c98d7baf025b37d0f5fe1a01a5
SHA2566015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48
SHA51219362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ssl.pydFilesize
65KB
MD596af7b0462af52a4d24b3f8bc0db6cd5
SHA12545bb454d0a972f1a7c688e2a5cd41ea81d3946
SHA25623c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f
SHA5122a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\base_library.zipFilesize
1.4MB
MD56e706e4fa21d90109df6fce1b2595155
SHA15328dd26b361d36239facff79baca1bab426de68
SHA256ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998
SHA512c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\blank.aesFilesize
118KB
MD5eaeb07ef0948a7707d3b2319b4fed14d
SHA1c1c89128b43af6b4157b873e1e9a26a601567076
SHA256e50f635db07a7fa0f58046d9e75a3424cd4c2bbb5b5e254c979d20c767739612
SHA512f8d7bd932b0d868299ca8c18db5bd8d20b6e14da5f565eed149e6c7ba0b16e8b6fd9dcdf3232448b1de72a5329358ca6c6935284b4c1cf95ead03c9f6404a810
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libcrypto-3.dllFilesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libssl-3.dllFilesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\python311.dllFilesize
1.1MB
MD5c8cfd0ba25d1abd188bc9b0d55a5f7ac
SHA15f3069cd29e649304739213e9e9c482fc59ddf40
SHA256a40c99628fcf5d6faeb86a2b541dda0025e44bd62297cd28fca867144a7429b0
SHA512aaf88487dafca01fdcd8e2fc065bfcf7eaf92be1674531026e96b9a4eff6af47f7c036de9b62f8f574c3f7748b2a9df6192c6b9adaf0ff85491ccd43e6bd93e6
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\python311.dllFilesize
256KB
MD55d5ace091bb5f669d038dfbf89d8c985
SHA15109ec39732a49172da71475fe0ab975572c0f2d
SHA256408a2503f58d1a3de30264472b29b8d8911ec887b7a11c2e98a58ec9c0d61efa
SHA5124f560b43e6cbc71793087c9f1aece0c62dec8fe8d06525d363470a58909c696b6d7cad1ba3e8dcdb46a31b16237dae20aebb80dde98fd1683bb458fcf521cc4c
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\select.pydFilesize
25KB
MD5d76b7f6fd31844ed2e10278325725682
SHA16284b72273be14d544bb570ddf180c764cde2c06
SHA256e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969
SHA512943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\sqlite3.dllFilesize
630KB
MD573b763cedf2b9bdcb0691fb846894197
SHA1bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2
SHA256e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5
SHA512617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\sqlite3.dllFilesize
64KB
MD56647713ad3df456870251f5bcfd32002
SHA100a4fe8c2ca3b9fb41d6e49a4c064abf78239f11
SHA256143f5564a2c610de1537b58ece36084b6fca0fd8f43ecbf13ca7e8eeb79b647c
SHA512e3ee16e2a6c870f5536d791166fd91039cc91755846390114b4e7dce79e40ae74b8c26db62fac34a0c045fe576e30d53626d24770def8713fb7e6f4b2daf57f0
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\unicodedata.pydFilesize
295KB
MD56873de332fbf126ddb53b4a2e33e35a5
SHA193748c90cd93fda83fcd5bb8187eeaf6b67a2d08
SHA256f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370
SHA5120e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c
-
C:\Users\Admin\AppData\Local\Temp\_MEI44282\blank.aesFilesize
118KB
MD5113c6f0709165df7b416c7a9ef54e42f
SHA18415f7d5ccd1fa2def4e1afe5218338e12d4b826
SHA2561c03e11dd9e6a20046ff26e3fce06cb7f58ef9343e3d0e110686d3f46c6b5aac
SHA512700ff1143418debdccb1a03c7b2df0cdae79201e83e14a2835e8854f1b40f59ede8a915e865419ad642846fc83b0c17f419b00d37abc314065a7e8fbeda0f0c8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yt41y1ad.ayz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp9A18.tmp.datFilesize
92KB
MD5c2515561b9dd345db98ed9d4fc658338
SHA1f403e9444049165bd5f3e3176d76a39eeaebf211
SHA25638f56b30db83047d4568ca521650ee4bcfc8a19ef972735f9dd53ebfa17881cf
SHA5123cfd530e47ef80e73d8b92501e54ef66b961eaafbc379d013b20a71701abe5bea0caab9bd932a8769fdb2e15ac70320df9025f75ad4adc83bec8790ee96ffaa4
-
C:\Users\Admin\AppData\Local\Temp\tmp9A2B.tmp.datFilesize
64KB
MD5a3545088c55f94b4af8033b7a971b81c
SHA172a0ff33519792a3778974c180c52f7b51d14d57
SHA25610a521330fd5c6d2fbe9262721aa37820e10dc41efc57f394bbad203498c285c
SHA51247ee1ac5653d0d886d11ead6563b8bdfdafced08ba56941aeccbc0632de20da371747a0811a52fbe259401a4287ed53db63ffb1dcdc3dbd1ae8f0b5078dc357b
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD5399f38fdf7aaf217d0b32896af9f298c
SHA1db37bfb5bd821b9068587df50d57b38f0287d760
SHA256c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46
SHA5120130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179
-
C:\Users\Admin\Downloads\OxyCracks_NL.zipFilesize
7.7MB
MD5c0c4fb82443a571255c910262d7cf4d0
SHA18cb29cf457c8237774627ca58148a39bbf899ae7
SHA25603ab73f7daea7657290ea1b61657ce07c8f98c1e743e3006052214294bebf401
SHA5125072fcd961b9db88c201c9b82bb391b355d403b5a602747f3315b099668ba775e78715af99fa6b6db528514cd95adc8e3451cd35fd87cb30ca2d92f60530824e
-
C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exeFilesize
8.0MB
MD50fa734c12c775665eef35bd81657bc2c
SHA10a865ce1dcda1602ac25c120e15752b430744908
SHA2563b12897906c0bed01a985254c1a6ea59081ba743c4e498347dc0f9e2d6e122d2
SHA512b3bd6c4cb5bfd599b558a559a422dceed426948facb35acf70a39a466c7dd334ba6148869a042c38ef7f0c0cc45a5c1618b884ed911a123b2aa258faca5a0493
-
\??\pipe\LOCAL\crashpad_3652_SKEDTJIBSFHLEWAZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/868-250-0x000002CF59460000-0x000002CF59470000-memory.dmpFilesize
64KB
-
memory/868-131-0x000002CF57810000-0x000002CF5785A000-memory.dmpFilesize
296KB
-
memory/868-204-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmpFilesize
10.8MB
-
memory/868-464-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmpFilesize
10.8MB
-
memory/1060-232-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/1060-737-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/1060-208-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/1060-209-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/1060-749-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/1060-748-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/2604-282-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/2604-240-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/2604-236-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/2604-239-0x0000000000890000-0x00000000008A0000-memory.dmpFilesize
64KB
-
memory/3052-899-0x00007FFA73600000-0x00007FFA7362D000-memory.dmpFilesize
180KB
-
memory/3052-907-0x00007FFA73120000-0x00007FFA731ED000-memory.dmpFilesize
820KB
-
memory/3052-741-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmpFilesize
5.9MB
-
memory/3052-903-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmpFilesize
100KB
-
memory/3052-735-0x00007FFA8DEB0000-0x00007FFA8DEBF000-memory.dmpFilesize
60KB
-
memory/3052-898-0x00007FFA8DEB0000-0x00007FFA8DEBF000-memory.dmpFilesize
60KB
-
memory/3052-912-0x00007FFA73000000-0x00007FFA7311C000-memory.dmpFilesize
1.1MB
-
memory/3052-909-0x00007FFA841F0000-0x00007FFA841FD000-memory.dmpFilesize
52KB
-
memory/3052-908-0x00007FFA738D0000-0x00007FFA738E4000-memory.dmpFilesize
80KB
-
memory/3052-896-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmpFilesize
5.9MB
-
memory/3052-906-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmpFilesize
5.2MB
-
memory/3052-904-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmpFilesize
52KB
-
memory/3052-905-0x00007FFA73590000-0x00007FFA735C3000-memory.dmpFilesize
204KB
-
memory/3052-902-0x00007FFA731F0000-0x00007FFA73366000-memory.dmpFilesize
1.5MB
-
memory/3052-900-0x00007FFA84CF0000-0x00007FFA84D09000-memory.dmpFilesize
100KB
-
memory/3052-743-0x00007FFA73950000-0x00007FFA73974000-memory.dmpFilesize
144KB
-
memory/3052-897-0x00007FFA73950000-0x00007FFA73974000-memory.dmpFilesize
144KB
-
memory/3052-901-0x00007FFA735D0000-0x00007FFA735F3000-memory.dmpFilesize
140KB
-
memory/3468-694-0x0000026AC0400000-0x0000026AC0410000-memory.dmpFilesize
64KB
-
memory/3468-740-0x00007FFA70E20000-0x00007FFA718E1000-memory.dmpFilesize
10.8MB
-
memory/3540-286-0x00007FFA6EEC0000-0x00007FFA6EEE4000-memory.dmpFilesize
144KB
-
memory/3540-253-0x00007FFA894A0000-0x00007FFA894AF000-memory.dmpFilesize
60KB
-
memory/3540-481-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmpFilesize
100KB
-
memory/3540-482-0x00007FFA84F90000-0x00007FFA84F9D000-memory.dmpFilesize
52KB
-
memory/3540-483-0x00007FFA6C7D0000-0x00007FFA6C803000-memory.dmpFilesize
204KB
-
memory/3540-485-0x00007FFA6BC80000-0x00007FFA6BD4D000-memory.dmpFilesize
820KB
-
memory/3540-412-0x00007FFA6BB60000-0x00007FFA6BC7C000-memory.dmpFilesize
1.1MB
-
memory/3540-293-0x00007FFA6C7D0000-0x00007FFA6C803000-memory.dmpFilesize
204KB
-
memory/3540-479-0x00007FFA6E830000-0x00007FFA6E853000-memory.dmpFilesize
140KB
-
memory/3540-488-0x00007FFA6BB60000-0x00007FFA6BC7C000-memory.dmpFilesize
1.1MB
-
memory/3540-278-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmpFilesize
52KB
-
memory/3540-274-0x00007FFA6BC80000-0x00007FFA6BD4D000-memory.dmpFilesize
820KB
-
memory/3540-269-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmpFilesize
5.2MB
-
memory/3540-478-0x00007FFA762D0000-0x00007FFA762E9000-memory.dmpFilesize
100KB
-
memory/3540-477-0x00007FFA6EE90000-0x00007FFA6EEBD000-memory.dmpFilesize
180KB
-
memory/3540-476-0x00007FFA894A0000-0x00007FFA894AF000-memory.dmpFilesize
60KB
-
memory/3540-467-0x00007FFA6EEC0000-0x00007FFA6EEE4000-memory.dmpFilesize
144KB
-
memory/3540-480-0x00007FFA6D5B0000-0x00007FFA6D726000-memory.dmpFilesize
1.5MB
-
memory/3540-465-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmpFilesize
5.9MB
-
memory/3540-296-0x00007FFA6D590000-0x00007FFA6D5A4000-memory.dmpFilesize
80KB
-
memory/3540-290-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmpFilesize
100KB
-
memory/3540-484-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmpFilesize
5.2MB
-
memory/3540-255-0x00007FFA762D0000-0x00007FFA762E9000-memory.dmpFilesize
100KB
-
memory/3540-260-0x00007FFA6E830000-0x00007FFA6E853000-memory.dmpFilesize
140KB
-
memory/3540-487-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmpFilesize
52KB
-
memory/3540-261-0x00007FFA6D5B0000-0x00007FFA6D726000-memory.dmpFilesize
1.5MB
-
memory/3540-289-0x00007FFA6EE90000-0x00007FFA6EEBD000-memory.dmpFilesize
180KB
-
memory/3540-284-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmpFilesize
5.9MB
-
memory/3540-292-0x00007FFA84F90000-0x00007FFA84F9D000-memory.dmpFilesize
52KB
-
memory/3540-486-0x00007FFA6D590000-0x00007FFA6D5A4000-memory.dmpFilesize
80KB
-
memory/3624-283-0x0000000000770000-0x0000000000780000-memory.dmpFilesize
64KB
-
memory/3624-143-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/3624-241-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/3624-285-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4424-730-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4424-734-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4424-732-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/4508-291-0x0000000000B60000-0x0000000000B70000-memory.dmpFilesize
64KB
-
memory/4508-415-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4508-295-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4980-636-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/4980-287-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/4980-288-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4980-414-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5828-671-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5828-658-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5828-669-0x0000000000B20000-0x0000000000B30000-memory.dmpFilesize
64KB
-
memory/5828-738-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5972-709-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5972-742-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5972-729-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/5972-728-0x00000000007F0000-0x0000000000800000-memory.dmpFilesize
64KB
-
memory/6032-634-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmpFilesize
10.8MB
-
memory/6032-418-0x00000159F0540000-0x00000159F0550000-memory.dmpFilesize
64KB
-
memory/6032-419-0x00000159F0540000-0x00000159F0550000-memory.dmpFilesize
64KB
-
memory/6032-420-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmpFilesize
10.8MB
-
memory/6048-416-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmpFilesize
10.8MB
-
memory/6048-417-0x000001B9E9F50000-0x000001B9E9F60000-memory.dmpFilesize
64KB
-
memory/6048-426-0x000001B9E9910000-0x000001B9E9932000-memory.dmpFilesize
136KB
-
memory/6048-635-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmpFilesize
10.8MB