Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 20:48
Static task
static1
Behavioral task
behavioral1
Sample
Nurik Crack.exe
Resource
win10v2004-20240426-en
General
-
Target
Nurik Crack.exe
-
Size
17.1MB
-
MD5
b7f43033dec1673444774fff98ce38a2
-
SHA1
98c5e478d0442b04610742dc997ad227f63ab5bb
-
SHA256
c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0
-
SHA512
7e04c6491b659a51ce33c25c4d1e246850228d3098f22c82d4aa25df2726d69ce8d784d0c40376516c1b78aa8d9a0d5c7a2d1b7b57572b04e9fa532a6dac7ee1
-
SSDEEP
393216:NUXX0vOtgLY3q/kXpUbIicANsdh9IvI4I4dHK/w/ZZqplCyLIr:CKaBPZUbIEyXuJPZGDIr
Malware Config
Extracted
xworm
127.0.0.1:1337
104.28.229.13:1337
192.168.2.133:1337
-
Install_directory
%ProgramData%
-
telegram
https://api.telegram.org/bot6911706583:AAGIck5-GICDZLswgqJrJgL5L_TBxq7tj7Y/sendMessage?chat_id=6727135086
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Nursultan.exe family_xworm behavioral1/memory/4232-94-0x0000000000400000-0x000000000045C000-memory.dmp family_xworm behavioral1/memory/4740-68-0x0000000000B60000-0x0000000000BBC000-memory.dmp family_xworm -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe dcrat C:\Nursultan\Crack.exe dcrat behavioral1/memory/3584-118-0x0000000000030000-0x0000000000350000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3752 powershell.exe 4852 powershell.exe 2524 powershell.exe 1888 powershell.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 6 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe net_reactor C:\Users\Admin\AppData\Roaming\Nursultan2.exe net_reactor behavioral1/memory/2536-34-0x0000000000BC0000-0x0000000000DF8000-memory.dmp net_reactor C:\Users\Admin\AppData\Roaming\Nurik2.exe net_reactor behavioral1/memory/3960-39-0x00000000002D0000-0x0000000000582000-memory.dmp net_reactor behavioral1/memory/848-33-0x0000000000330000-0x0000000000568000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeNursultan Cracked.exeNurik Crack.exeNursultan.exedotnet-sdk-8.0.300-win-x64.exeNursultanNotCracked.exeNursultanNotCracked.exeNursultanNotCracked.exeNursultan Cracked.exeNursultanNotCracked.exeWScript.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Nursultan Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Nurik Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Nursultan.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation dotnet-sdk-8.0.300-win-x64.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation NursultanNotCracked.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation NursultanNotCracked.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation NursultanNotCracked.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Nursultan Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation NursultanNotCracked.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 8 IoCs
Processes:
Nursultan.exeNurik2.exeNursultanNotCracked2.exeNursultan2.exeNursultanNotCracked2.exeNursultan2.exeNurik2.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurikCracked.lnk Nursultan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk Nurik2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk NursultanNotCracked2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk Nursultan2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk NursultanNotCracked2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk Nursultan2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk Nurik2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurikCracked.lnk Nursultan.exe -
Executes dropped EXE 33 IoCs
Processes:
NursultanNotCracked2.exeNursultan2.exeNurik2.exeNursultan Cracked.exeNursultan.exeNurik.exeNursultanNotCracked.exeNursultan.exeNursultanNotCracked.exeNurik.exeCrack.exeCrack.exeNurikCrackedNurikCrackedNurikCrackeddotnet-sdk-8.0.300-win-x64.exedotnet-sdk-8.0.300-win-x64.exedotnet-sdk-8.0.300-win-x64.exeNurikCrackeddotnet.exeNurik2.exeNursultan Cracked.exeNursultan.exeNursultan2.exeNursultanNotCracked.exeNursultanNotCracked2.exeNurik.exeNursultan.exeNursultanNotCracked.exeNurik.exeCrack.exeCrack.exeNurikCrackedpid process 2536 NursultanNotCracked2.exe 848 Nursultan2.exe 3960 Nurik2.exe 5000 Nursultan Cracked.exe 4740 Nursultan.exe 2352 Nurik.exe 4444 NursultanNotCracked.exe 496 Nursultan.exe 2024 NursultanNotCracked.exe 3748 Nurik.exe 3584 Crack.exe 1404 Crack.exe 6072 NurikCracked 6120 NurikCracked 5052 NurikCracked 608 dotnet-sdk-8.0.300-win-x64.exe 5744 dotnet-sdk-8.0.300-win-x64.exe 596 dotnet-sdk-8.0.300-win-x64.exe 3380 NurikCracked 2432 dotnet.exe 2856 Nurik2.exe 1348 Nursultan Cracked.exe 1004 Nursultan.exe 4468 Nursultan2.exe 4644 NursultanNotCracked.exe 5012 NursultanNotCracked2.exe 2928 Nurik.exe 5400 Nursultan.exe 4496 NursultanNotCracked.exe 5344 Nurik.exe 5480 Crack.exe 4296 Crack.exe 4764 NurikCracked -
Loads dropped DLL 64 IoCs
Processes:
dotnet-sdk-8.0.300-win-x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exedotnet.exepid process 5744 dotnet-sdk-8.0.300-win-x64.exe 1360 MsiExec.exe 1360 MsiExec.exe 5108 MsiExec.exe 5108 MsiExec.exe 3152 MsiExec.exe 3152 MsiExec.exe 3152 MsiExec.exe 3152 MsiExec.exe 5144 MsiExec.exe 5144 MsiExec.exe 1092 MsiExec.exe 1092 MsiExec.exe 2568 MsiExec.exe 2568 MsiExec.exe 4632 MsiExec.exe 4632 MsiExec.exe 5364 MsiExec.exe 4788 MsiExec.exe 4788 MsiExec.exe 3012 MsiExec.exe 3012 MsiExec.exe 864 MsiExec.exe 1524 MsiExec.exe 3012 MsiExec.exe 4320 MsiExec.exe 788 MsiExec.exe 3464 MsiExec.exe 5440 MsiExec.exe 2076 MsiExec.exe 4296 MsiExec.exe 3628 MsiExec.exe 1544 MsiExec.exe 5988 MsiExec.exe 2940 MsiExec.exe 1504 MsiExec.exe 1888 MsiExec.exe 388 MsiExec.exe 5508 MsiExec.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe 2432 dotnet.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dotnet-sdk-8.0.300-win-x64.exeNursultan.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{582ba875-ec42-4505-9e60-ec189a76f52c} = "\"C:\\ProgramData\\Package Cache\\{582ba875-ec42-4505-9e60-ec189a76f52c}\\dotnet-sdk-8.0.300-win-x64.exe\" /burn.runonce" dotnet-sdk-8.0.300-win-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NurikCracked = "C:\\ProgramData\\NurikCracked" Nursultan.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of SetThreadContext 6 IoCs
Processes:
NursultanNotCracked2.exeNursultan2.exeNurik2.exeNursultan2.exeNurik2.exeNursultanNotCracked2.exedescription pid process target process PID 2536 set thread context of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 848 set thread context of 2412 848 Nursultan2.exe schtasks.exe PID 3960 set thread context of 1520 3960 Nurik2.exe schtasks.exe PID 4468 set thread context of 2136 4468 Nursultan2.exe schtasks.exe PID 2856 set thread context of 1800 2856 Nurik2.exe schtasks.exe PID 5012 set thread context of 4168 5012 NursultanNotCracked2.exe schtasks.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Security.Cryptography.X509Certificates.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.5\ref\net8.0\Microsoft.AspNetCore.Http.Connections.Common.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\trustedroots\codesignctl.pem msiexec.exe File created C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Xml.XDocument.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\8.0.5\ref\net8.0\PresentationFramework.AeroLite.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\es\Microsoft.DotNet.Cli.Utils.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\es\NuGet.Build.Tasks.Pack.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-watch\8.0.300-rtm.24224.16\tools\net8.0\any\BuildHost-net472\Microsoft.Extensions.Logging.Configuration.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\tr\Microsoft.DotNet.Cli.Utils.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Containers\tasks\net472\ru\System.CommandLine.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.5\msquic.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.5\ref\net8.0\System.Diagnostics.TextWriterTraceListener.xml msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.5\analyzers\dotnet\cs\es\Microsoft.Interop.SourceGeneration.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-format\zh-Hans\Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelperformance_8_recommended_warnaserror.globalconfig msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelmaintainability_5_default.globalconfig msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelinteroperability_6_none.globalconfig msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\8.0.5\ref\net8.0\PresentationFramework.Aero.xml msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.SourceLink.Bitbucket.Git\tools\core\it\Microsoft.SourceLink.Bitbucket.Git.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Roslyn\bincore\zh-Hans\Microsoft.CodeAnalysis.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Microsoft.VisualStudio.TestPlatform.ObjectModel.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Containers\tasks\net8.0\fr\Microsoft.DotNet.Cli.Utils.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\NuGet.Build.Tasks.Pack\Desktop\de\NuGet.Build.Tasks.Pack.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysisleveldesign_9_minimum_warnaserror.globalconfig msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\tools\net472\tr\Microsoft.DotNet.ApiSymbolExtensions.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.5\System.Runtime.Loader.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.5\ru\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\codestyle\cs\tr\Microsoft.CodeAnalysis.CSharp.CodeStyle.Fixes.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysisleveldocumentation_7_default_warnaserror.globalconfig msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\zh-Hant\NuGet.VisualStudio.Contracts.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\pt-BR\Microsoft.TemplateEngine.Utils.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-watch\8.0.300-rtm.24224.16\tools\net8.0\any\BuildHost-net472\de\Microsoft.CodeAnalysis.Workspaces.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Extensions\dump\DumpMinitool.exe msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.SourceLink.AzureRepos.Git\tools\net472\es\Microsoft.SourceLink.AzureRepos.Git.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\ru\NuGet.Resolver.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.5\System.Drawing.Common.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Microsoft\Microsoft.NET.Build.Extensions\net471\lib\System.Net.Sockets.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.5\System.Windows.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.5\ref\net8.0\Microsoft.AspNetCore.Mvc.Formatters.Xml.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk.StaticWebAssets\targets\Microsoft.NET.Sdk.StaticWebAssets.Pack.CrossTargeting.targets msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk.StaticWebAssets\tools\net8.0\System.CommandLine.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.5\ref\net8.0\System.IO.MemoryMappedFiles.xml msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.5\ref\net8.0\Microsoft.Extensions.FileProviders.Composite.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Extensions\it\Microsoft.TestPlatform.Extensions.EventLogCollector.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelinteroperability_8_default_warnaserror.globalconfig msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\runtimes\any\native\NuGet.RestoreEx.targets msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Containers\tasks\net472\zh-Hant\Microsoft.DotNet.Cli.Utils.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-format\it\Microsoft.CodeAnalysis.Features.resources.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.5\ref\net8.0\System.Diagnostics.Tools.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\NuGet.Build.Tasks.Pack\CoreCLR\fr\NuGet.Build.Tasks.Pack.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\TestHostNetFramework\System.Net.Security.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Extensions\fr\Microsoft.TestPlatform.Extensions.EventLogCollector.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Microsoft.Deployment.DotNet.Releases.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\analyzers\build\config\analysislevelperformance_5_default.globalconfig msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Roslyn\bincore\ko\Microsoft.CodeAnalysis.VisualBasic.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Microsoft\Microsoft.NET.Build.Extensions\net471\lib\System.Data.Common.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk\tools\net8.0\zh-Hans\Microsoft.DotNet.ApiCompatibility.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-user-jwts\8.0.5-servicing.24224.4\tools\net8.0\any\Microsoft.Extensions.Configuration.Json.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Microsoft\Microsoft.NET.Build.Extensions\net461\lib\System.Threading.Thread.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.5\ref\net8.0\System.Runtime.Serialization.Formatters.xml msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\8.0.5\ref\net8.0\System.Reflection.Metadata.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\8.0.5\data\PackageOverrides.txt msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\TestHostNetFramework\zh-Hant\Microsoft.VisualStudio.TestPlatform.Common.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\8.0.300\Containers\containerize\NuGet.Versioning.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5a6d41.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI768B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B60.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBE57.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{6D0341DE-C194-4220-A980-4DE1B1309B2E} msiexec.exe File created C:\Windows\Installer\e5a6d32.msi msiexec.exe File created C:\Windows\Installer\SourceHash{C6661EB8-C8EC-447C-8BD6-6439592AF0D8} msiexec.exe File created C:\Windows\Installer\e5a6cc4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7F5B.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{F904B9A8-A0A9-42FA-8132-2E1EEC523722} msiexec.exe File created C:\Windows\Installer\SourceHash{34F17197-6239-3B55-851C-B21B1F6C926D} msiexec.exe File opened for modification C:\Windows\Installer\MSIC552.tmp msiexec.exe File created C:\Windows\Installer\e5a6d2e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC824.tmp msiexec.exe File created C:\Windows\Installer\e5a6d19.msi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe msiexec.exe File created C:\Windows\Installer\e5a6ce2.msi msiexec.exe File created C:\Windows\Installer\e5a6cf2.msi msiexec.exe File created C:\Windows\Installer\e5a6cfc.msi msiexec.exe File created C:\Windows\Installer\e5a6d06.msi msiexec.exe File created C:\Windows\Installer\e5a6d38.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a6cbf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI940A.tmp msiexec.exe File created C:\Windows\Installer\e5a6ce7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI398F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB9DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC2A0.tmp msiexec.exe File created C:\Windows\Installer\e5a6cbf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8190.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a6cde.msi msiexec.exe File created C:\Windows\Installer\e5a6ce3.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a6ce3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9D36.tmp msiexec.exe File created C:\Windows\Installer\e5a6d15.msi msiexec.exe File created C:\Windows\Installer\e5a6d28.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a6d2e.msi msiexec.exe File created C:\Windows\Installer\e5a6d37.msi msiexec.exe File created C:\Windows\Installer\SourceHash{B59E8D78-7A0F-4246-ACB8-9867B22FDBD3} msiexec.exe File created C:\Windows\Installer\e5a6d0f.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795 msiexec.exe File opened for modification C:\Windows\Installer\MSI8038.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E87.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B5A57BF9-FC7A-4FA6-BAEB-46E173986DF3} msiexec.exe File created C:\Windows\Installer\SourceHash{8B5384CA-D189-4CFE-8DF0-2D05B4EA8499} msiexec.exe File created C:\Windows\Installer\e5a6ced.msi msiexec.exe File created C:\Windows\Installer\e5a6d05.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICF2F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{97EA8828-361E-42AB-A287-67D7F4F4092D} msiexec.exe File opened for modification C:\Windows\Installer\MSI3249.tmp msiexec.exe File created C:\Windows\Installer\e5a6cd3.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a6cd9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID163.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{F3AEB036-4B8A-4C25-B4D2-850944E909C4} msiexec.exe File opened for modification C:\Windows\Installer\MSI8CE0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8FFF.tmp msiexec.exe File created C:\Windows\Installer\e5a6cd8.msi msiexec.exe File created C:\Windows\Installer\e5a6cde.msi msiexec.exe File created C:\Windows\Installer\e5a6d00.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a6d1a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEAA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a6cca.msi msiexec.exe File created C:\Windows\Installer\e5a6cce.msi msiexec.exe File created C:\Windows\Installer\SourceHash{CE4D0B17-4E11-41F9-8C3B-73F61DFE0797} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 57 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\44 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\40 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\40 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\42 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\43 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\42 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\41 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3C msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\41 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\43 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3F msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\46 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\35 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\44 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\45 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\45 msiexec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exedotnet-sdk-8.0.300-win-x64.exetaskmgr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E99F865D2F97D840AD56DC415B2A3DF\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA46B5209380C0E4182A57C8287A0BA7\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E99F865D2F97D840AD56DC415B2A3DF\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{568F99E8-9F2D-48D7-A05D-D64C512B3AFD}v17.0.8478\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\782729899778A74419E93720D8357F91\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E99F865D2F97D840AD56DC415B2A3DF\F_DependencyProvider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8288AE79E163BA242A78767D4F4F90D2\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23304BF894DC77E44AD02E0D398636D2\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79171F43932655B358C12BB1F1C629D6\ProductName = "Microsoft ASP.NET Core 8.0.5 Targeting Pack (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87D8E95BF0A76424CA8B89762BF2BD3D\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.iOS,8.0.100,17.0.8478,x64\Version = "17.0.8478" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9716E8593420544459868C1B95747D80\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BFC6307A304B895458FF3D79BA8B1837\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0E4172F60BFE1D04DAD1B6AF950013C2\Provider msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Maui,8.0.100,8.0.3,x64 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9716E8593420544459868C1B95747D80\AuthorizedLUAApp = "0" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Maui,8.0.100,8.0.3,x64\ = "{116EF6D0-AE8E-4E6D-B0D8-EFF145CD45DA}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\netstandard_targeting_pack_24.0.28113_x64\ = "{A7036CFB-B403-4598-85FF-D397ABB88173}" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87D8E95BF0A76424CA8B89762BF2BD3D\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\NetCore_Templates_8.0_32.7.63663_x64 dotnet-sdk-8.0.300-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{582ba875-ec42-4505-9e60-ec189a76f52c}\Dependents\{582ba875-ec42-4505-9e60-ec189a76f52c} dotnet-sdk-8.0.300-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8288AE79E163BA242A78767D4F4F90D2\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D6FE611E8EAD6E40B8DFE1F54DC54AD\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\28E014F9DF16265308F7A8717DA9E3F3\79171F43932655B358C12BB1F1C629D6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9716E8593420544459868C1B95747D80\Version = "1075066127" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BFC6307A304B895458FF3D79BA8B1837\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8288AE79E163BA242A78767D4F4F90D2\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.AspNetCore.SharedFramework_x64_en_US.UTF-8,v8.0.5-servicing.24224.4\Dependents dotnet-sdk-8.0.300-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{582ba875-ec42-4505-9e60-ec189a76f52c}\ = "{582ba875-ec42-4505-9e60-ec189a76f52c}" dotnet-sdk-8.0.300-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.20.13583_x64\DisplayName = "Microsoft .NET Host FX Resolver - 8.0.5 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E7D2A8AC10ED774786002B45810D078\ProductName = "Microsoft .NET Targeting Pack - 8.0.5 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0D6FE611E8EAD6E40B8DFE1F54DC54AD msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NET.Workload.Mono.ToolChain.net7,8.0.100,8.0.5,x64 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\306051AD8B00B0139BD0579A2D71805E msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D97B4C2B5C422845B04132B8CD366F6\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\630BEA3FA8B452C44B2D5890449E904C\SourceList\PackageName = "729ebc3a4ae248c9d9e33c8304329ec3-x64.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D1536F523A1229E469E4108E462AA11B\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79171F43932655B358C12BB1F1C629D6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{34F17197-6239-3B55-851C-B21B1F6C926D}v8.0.5.24224\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AFB2D84B46CC89430978440AD5756C04 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NET.Workload.Emscripten.net6,8.0.100,8.0.5,x64 dotnet-sdk-8.0.300-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9716E8593420544459868C1B95747D80\F_PackageContents msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_64.20.13589_x64 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9058AAAC480CE5498F467954C6662C2\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\630BEA3FA8B452C44B2D5890449E904C\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D1536F523A1229E469E4108E462AA11B\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9FB75A5BA7CF6AF4ABBE641E3789D63F\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_targeting_pack_64.20.13589_x64\Dependents\{582ba875-ec42-4505-9e60-ec189a76f52c} dotnet-sdk-8.0.300-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\782729899778A74419E93720D8357F91\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{98927287-8779-447A-919E-73028D53F719}v14.0.8478\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC4835B8981DEFC4D80FD2504BAE4899\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A34743BAA94E43AEB1EAC3E51E1ED\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{4743A837-AAB3-4E49-A3BE-E1CAE3151EDE}v64.20.13583\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27F276386764FA53C893931EE30C5745 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\630BEA3FA8B452C44B2D5890449E904C\Version = "1073747250" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings taskmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D97B4C2B5C422845B04132B8CD366F6\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_8.3.24.22415_x64\Dependents dotnet-sdk-8.0.300-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9058AAAC480CE5498F467954C6662C2\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA46B5209380C0E4182A57C8287A0BA7\SourceList\PackageName = "936c24a666cd5966d5685fd74d2648b0-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.MacCatalyst,8.0.100,17.0.8478,x64\Dependents\{582ba875-ec42-4505-9e60-ec189a76f52c} dotnet-sdk-8.0.300-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\214F2F970A72AED3AB5BEC31D42C3CAC\8E99F865D2F97D840AD56DC415B2A3DF msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Workload.Emscripten.net6,8.0.100,8.0.5,x64\Dependents\{582ba875-ec42-4505-9e60-ec189a76f52c} dotnet-sdk-8.0.300-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23304BF894DC77E44AD02E0D398636D2\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\782729899778A74419E93720D8357F91\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NET.Sdk.Maui,8.0.100,8.0.3,x64\Dependents dotnet-sdk-8.0.300-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8288AE79E163BA242A78767D4F4F90D2\AuthorizedLUAApp = "0" msiexec.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 991091.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
NursultanNotCracked2.exeNurik2.exepowershell.exepowershell.exepowershell.exepowershell.exeNursultan.exemsedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exepid process 2536 NursultanNotCracked2.exe 2536 NursultanNotCracked2.exe 3960 Nurik2.exe 3960 Nurik2.exe 3752 powershell.exe 3752 powershell.exe 3752 powershell.exe 4852 powershell.exe 4852 powershell.exe 4852 powershell.exe 2524 powershell.exe 2524 powershell.exe 2524 powershell.exe 1888 powershell.exe 1888 powershell.exe 1888 powershell.exe 4740 Nursultan.exe 4740 Nursultan.exe 3408 msedge.exe 3408 msedge.exe 2848 msedge.exe 2848 msedge.exe 4952 identity_helper.exe 4952 identity_helper.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4740 Nursultan.exe 4740 Nursultan.exe 4740 Nursultan.exe 4740 Nursultan.exe 4740 Nursultan.exe 4740 Nursultan.exe 4724 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4724 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Nursultan.exeNursultanNotCracked2.exeNursultan.exeNurik2.exeCrack.exeCrack.exepowershell.exepowershell.exepowershell.exepowershell.exeNurikCrackedNurikCrackedtaskmgr.exeNurikCrackeddotnet-sdk-8.0.300-win-x64.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4740 Nursultan.exe Token: SeDebugPrivilege 2536 NursultanNotCracked2.exe Token: SeDebugPrivilege 496 Nursultan.exe Token: SeDebugPrivilege 3960 Nurik2.exe Token: SeDebugPrivilege 3584 Crack.exe Token: SeDebugPrivilege 1404 Crack.exe Token: SeDebugPrivilege 3752 powershell.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 4740 Nursultan.exe Token: SeDebugPrivilege 6072 NurikCracked Token: SeDebugPrivilege 6120 NurikCracked Token: SeDebugPrivilege 4724 taskmgr.exe Token: SeSystemProfilePrivilege 4724 taskmgr.exe Token: SeCreateGlobalPrivilege 4724 taskmgr.exe Token: SeDebugPrivilege 5052 NurikCracked Token: SeShutdownPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeIncreaseQuotaPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeSecurityPrivilege 5456 msiexec.exe Token: SeCreateTokenPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeLockMemoryPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeIncreaseQuotaPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeMachineAccountPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeTcbPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeSecurityPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeTakeOwnershipPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeLoadDriverPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeSystemProfilePrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeSystemtimePrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeProfSingleProcessPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeIncBasePriorityPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeCreatePagefilePrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeCreatePermanentPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeBackupPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeRestorePrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeShutdownPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeDebugPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeAuditPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeSystemEnvironmentPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeChangeNotifyPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeRemoteShutdownPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeUndockPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeSyncAgentPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeEnableDelegationPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeManageVolumePrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeImpersonatePrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeCreateGlobalPrivilege 596 dotnet-sdk-8.0.300-win-x64.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe Token: SeTakeOwnershipPrivilege 5456 msiexec.exe Token: SeRestorePrivilege 5456 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Nursultan.exeNursultanNotCracked.exepid process 4740 Nursultan.exe 4644 NursultanNotCracked.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Nurik Crack.exeNursultan Cracked.exeNursultanNotCracked2.exeNursultan2.exeNurik2.exeNursultanNotCracked.exeNursultanNotCracked.exeWScript.exedescription pid process target process PID 4508 wrote to memory of 2536 4508 Nurik Crack.exe NursultanNotCracked2.exe PID 4508 wrote to memory of 2536 4508 Nurik Crack.exe NursultanNotCracked2.exe PID 4508 wrote to memory of 2536 4508 Nurik Crack.exe NursultanNotCracked2.exe PID 4508 wrote to memory of 848 4508 Nurik Crack.exe Nursultan2.exe PID 4508 wrote to memory of 848 4508 Nurik Crack.exe Nursultan2.exe PID 4508 wrote to memory of 848 4508 Nurik Crack.exe Nursultan2.exe PID 4508 wrote to memory of 3960 4508 Nurik Crack.exe Nurik2.exe PID 4508 wrote to memory of 3960 4508 Nurik Crack.exe Nurik2.exe PID 4508 wrote to memory of 3960 4508 Nurik Crack.exe Nurik2.exe PID 4508 wrote to memory of 5000 4508 Nurik Crack.exe Nursultan Cracked.exe PID 4508 wrote to memory of 5000 4508 Nurik Crack.exe Nursultan Cracked.exe PID 4508 wrote to memory of 4740 4508 Nurik Crack.exe Nursultan.exe PID 4508 wrote to memory of 4740 4508 Nurik Crack.exe Nursultan.exe PID 4508 wrote to memory of 4444 4508 Nurik Crack.exe NursultanNotCracked.exe PID 4508 wrote to memory of 4444 4508 Nurik Crack.exe NursultanNotCracked.exe PID 4508 wrote to memory of 4444 4508 Nurik Crack.exe NursultanNotCracked.exe PID 4508 wrote to memory of 2352 4508 Nurik Crack.exe Nurik.exe PID 4508 wrote to memory of 2352 4508 Nurik Crack.exe Nurik.exe PID 5000 wrote to memory of 496 5000 Nursultan Cracked.exe Nursultan.exe PID 5000 wrote to memory of 496 5000 Nursultan Cracked.exe Nursultan.exe PID 2536 wrote to memory of 2672 2536 NursultanNotCracked2.exe msedge.exe PID 2536 wrote to memory of 2672 2536 NursultanNotCracked2.exe msedge.exe PID 2536 wrote to memory of 2672 2536 NursultanNotCracked2.exe msedge.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 2536 wrote to memory of 4232 2536 NursultanNotCracked2.exe schtasks.exe PID 5000 wrote to memory of 2024 5000 Nursultan Cracked.exe NursultanNotCracked.exe PID 5000 wrote to memory of 2024 5000 Nursultan Cracked.exe NursultanNotCracked.exe PID 5000 wrote to memory of 2024 5000 Nursultan Cracked.exe NursultanNotCracked.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 848 wrote to memory of 2412 848 Nursultan2.exe schtasks.exe PID 5000 wrote to memory of 3748 5000 Nursultan Cracked.exe Nurik.exe PID 5000 wrote to memory of 3748 5000 Nursultan Cracked.exe Nurik.exe PID 3960 wrote to memory of 3580 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 3580 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 3580 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 3960 wrote to memory of 1520 3960 Nurik2.exe schtasks.exe PID 4444 wrote to memory of 3316 4444 NursultanNotCracked.exe WScript.exe PID 4444 wrote to memory of 3316 4444 NursultanNotCracked.exe WScript.exe PID 4444 wrote to memory of 3316 4444 NursultanNotCracked.exe WScript.exe PID 2024 wrote to memory of 5052 2024 NursultanNotCracked.exe WScript.exe PID 2024 wrote to memory of 5052 2024 NursultanNotCracked.exe WScript.exe PID 2024 wrote to memory of 5052 2024 NursultanNotCracked.exe WScript.exe PID 3316 wrote to memory of 4312 3316 WScript.exe cmd.exe PID 3316 wrote to memory of 4312 3316 WScript.exe cmd.exe PID 3316 wrote to memory of 4312 3316 WScript.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe"C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"3⤵PID:2672
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"3⤵PID:4232
-
C:\Users\Admin\AppData\Roaming\Nursultan2.exe"C:\Users\Admin\AppData\Roaming\Nursultan2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"3⤵PID:2412
-
C:\Users\Admin\AppData\Roaming\Nurik2.exe"C:\Users\Admin\AppData\Roaming\Nurik2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"3⤵PID:3580
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"3⤵PID:1520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaa0946f8,0x7ffeaa094708,0x7ffeaa0947185⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:25⤵PID:3844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:85⤵PID:2304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:15⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:15⤵PID:2672
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:85⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:15⤵PID:3896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:15⤵PID:992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:15⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:15⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:15⤵PID:5556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:15⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5968 /prefetch:85⤵PID:5408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:15⤵PID:5416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6460 /prefetch:85⤵PID:3480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:15⤵PID:5720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:15⤵PID:2360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:15⤵PID:5316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5356 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,8014812777731292225,8524632011462281981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:85⤵PID:820
-
C:\Users\Admin\Downloads\dotnet-sdk-8.0.300-win-x64.exe"C:\Users\Admin\Downloads\dotnet-sdk-8.0.300-win-x64.exe"5⤵
- Executes dropped EXE
PID:608 -
C:\Windows\Temp\{48EA2440-3BFC-48FC-A819-C8370D976AA4}\.cr\dotnet-sdk-8.0.300-win-x64.exe"C:\Windows\Temp\{48EA2440-3BFC-48FC-A819-C8370D976AA4}\.cr\dotnet-sdk-8.0.300-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\dotnet-sdk-8.0.300-win-x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=7206⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5744 -
C:\Windows\Temp\{24F89BE8-0E75-4F13-9171-C2BED1468DE4}\.be\dotnet-sdk-8.0.300-win-x64.exe"C:\Windows\Temp\{24F89BE8-0E75-4F13-9171-C2BED1468DE4}\.be\dotnet-sdk-8.0.300-win-x64.exe" -q -burn.elevated BurnPipe.{C62CFA04-2E8C-4440-9F44-2098EFAD17D7} {02896B8C-0E91-42D3-94E3-0EB054652E9D} 57447⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵PID:5484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffeaa0946f8,0x7ffeaa094708,0x7ffeaa0947185⤵PID:5500
-
C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe"C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:496 -
C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe"4⤵
- Checks computer location settings
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Nursultan\bc09q.bat" "5⤵PID:3320
-
C:\Nursultan\Crack.exe"C:\Nursultan\Crack.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Users\Admin\AppData\Roaming\Nurik.exe"C:\Users\Admin\AppData\Roaming\Nurik.exe"3⤵
- Executes dropped EXE
PID:3748 -
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\NurikCracked'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurikCracked'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NurikCracked" /tr "C:\ProgramData\NurikCracked"3⤵
- Creates scheduled task(s)
PID:3464 -
C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Nursultan\bc09q.bat" "4⤵PID:4312
-
C:\Nursultan\Crack.exe"C:\Nursultan\Crack.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Users\Admin\AppData\Roaming\Nurik.exe"C:\Users\Admin\AppData\Roaming\Nurik.exe"2⤵
- Executes dropped EXE
PID:2352
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3924
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:2524
-
C:\ProgramData\NurikCrackedC:\ProgramData\NurikCracked1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
C:\ProgramData\NurikCrackedC:\ProgramData\NurikCracked1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4724
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6100
-
C:\ProgramData\NurikCrackedC:\ProgramData\NurikCracked1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5456 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F70A88D50791A1D18A4EB9DA10F3C21B2⤵
- Loads dropped DLL
PID:1360 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 46DF211D480796C53AC52FE3C33D00B42⤵
- Loads dropped DLL
PID:5108 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F64FBA75EC05149602372D18F84189C32⤵
- Loads dropped DLL
PID:3152 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3C13481A961A76E2DDCBC9504CE684AF2⤵
- Loads dropped DLL
PID:5144 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A0CCCAB34A41450A932FA7C99C2C0DE12⤵
- Loads dropped DLL
PID:1092 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 19ABAE2FFE940F0E8F017A2A25616FA82⤵
- Loads dropped DLL
PID:2568 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6DE3FA5370BD6291DDF86FDE7F2279942⤵
- Loads dropped DLL
PID:4632 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A4933E2A93D6774C173996C92C6EC6912⤵
- Loads dropped DLL
PID:5364 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0E290C052E8B06D5608A0A556DD0F5D72⤵
- Loads dropped DLL
PID:4788 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C6D1FE8DA2AD9FE7897BFA60C69C67202⤵
- Loads dropped DLL
PID:3012 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EE8831F7B7482F665BF796B865CBA9572⤵
- Loads dropped DLL
PID:864 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5851FCD734D4C75494D88FA697FCC18B2⤵
- Loads dropped DLL
PID:1524 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CA1C08C45EF9FDB4937084BFA8F49FDE2⤵
- Loads dropped DLL
PID:3012 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 672E7A7F1675689AA31D7BDE8FC1C49E2⤵
- Loads dropped DLL
PID:4320 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 74FEBC8416E8D257CBED17FDE278927F2⤵
- Loads dropped DLL
PID:788 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8D966127C62ACAAA83D0282A8C7EC3192⤵
- Loads dropped DLL
PID:3464 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4CAFC31175BF607BAC627CFC34F718B62⤵
- Loads dropped DLL
PID:5440 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C9F7B28CBA21075237940C879CDBB3952⤵
- Loads dropped DLL
PID:2076 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0D6E5DC75D9C6D5A64738726B00415E42⤵
- Loads dropped DLL
PID:4296 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1E34D3C56305C0005EF5DF8C7F90341A2⤵
- Loads dropped DLL
PID:3628 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E54C1F0ADBE0DE83BECEEC3EDDD101A92⤵
- Loads dropped DLL
PID:1544 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94E3B16D9E22AACD771B099481C862E52⤵
- Loads dropped DLL
PID:5988 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B3BC627E99FE2C87282B940EF48AFAB72⤵
- Loads dropped DLL
PID:2940 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5476A3F87CD0323953DAAFED48E1AF9D2⤵
- Loads dropped DLL
PID:1504 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71AE5A679A7E17632F6C148F8F5ED4002⤵
- Loads dropped DLL
PID:1888 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4FCF1D2EE4AB179033B905BE5AAA2CA02⤵
- Loads dropped DLL
PID:388 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A9FA761EAE5FEDA5F8A79E18C010C021 E Global\MSI00002⤵
- Loads dropped DLL
PID:5508 -
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\\dotnet.exe" exec "C:\Program Files\dotnet\\sdk\8.0.300\dotnet.dll" internal-reportinstallsuccess "C:\Users\Admin\Downloads\dotnet-sdk-8.0.300-win-x64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\system32\getmac.exe"C:\Windows\system32\getmac.exe"4⤵PID:5776
-
C:\Windows\system32\getmac.exe"C:\Windows\system32\getmac.exe"4⤵PID:5400
-
C:\Windows\system32\getmac.exe"C:\Windows\system32\getmac.exe"4⤵PID:3008
-
C:\Windows\system32\getmac.exe"C:\Windows\system32\getmac.exe"4⤵PID:3156
-
C:\Windows\system32\getmac.exe"C:\Windows\system32\getmac.exe"4⤵PID:716
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DADB730F91733E7D018C6A79383E9362⤵PID:1624
-
C:\ProgramData\NurikCrackedC:\ProgramData\NurikCracked1⤵
- Executes dropped EXE
PID:3380
-
C:\Users\Admin\AppData\Roaming\Nurik2.exe"C:\Users\Admin\AppData\Roaming\Nurik2.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2856 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"2⤵PID:1800
-
C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe"C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1348 -
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"2⤵
- Executes dropped EXE
PID:5400 -
C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe"3⤵
- Checks computer location settings
PID:5072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Nursultan\bc09q.bat" "4⤵PID:3376
-
C:\Nursultan\Crack.exe"C:\Nursultan\Crack.exe"5⤵
- Executes dropped EXE
PID:4296 -
C:\Users\Admin\AppData\Roaming\Nurik.exe"C:\Users\Admin\AppData\Roaming\Nurik.exe"2⤵
- Executes dropped EXE
PID:5344
-
C:\Users\Admin\AppData\Roaming\Nursultan.exe"C:\Users\Admin\AppData\Roaming\Nursultan.exe"1⤵
- Executes dropped EXE
PID:1004
-
C:\Users\Admin\AppData\Roaming\Nursultan2.exe"C:\Users\Admin\AppData\Roaming\Nursultan2.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4468 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"2⤵PID:2136
-
C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe"2⤵
- Checks computer location settings
PID:2200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Nursultan\bc09q.bat" "3⤵PID:4976
-
C:\Nursultan\Crack.exe"C:\Nursultan\Crack.exe"4⤵
- Executes dropped EXE
PID:5480
-
C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe"C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5012 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe"2⤵PID:4168
-
C:\Users\Admin\AppData\Roaming\Nurik.exe"C:\Users\Admin\AppData\Roaming\Nurik.exe"1⤵
- Executes dropped EXE
PID:2928
-
C:\ProgramData\NurikCrackedC:\ProgramData\NurikCracked1⤵
- Executes dropped EXE
PID:4764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5557f18c3ea86f37ce9643aebf57a21ee
SHA1d51db96fea475e0993d77f446cabdf70f6fdf30a
SHA256588157b2ff000fe8187eb291193e75b84cf2f0a5865396c2ed89ab56248a793d
SHA512a9632d2205d5c8808295a6f81a0cfab4156caa562a4d6fb77bff954d5346a6682177ebe12d503f1b553d460c1999d92286d00654b219ba1072ae86d31122c031
-
Filesize
9KB
MD523c53895a7f8624ce162b3f087a17d92
SHA1dbfe0fac08db3c4a23c657267300af4ff1a9ee65
SHA256fc148ada6a7692d04dea01de83420698f9b4244152a283ad89fbdaf27f942331
SHA512db88ceef7bfffceed513973fe1d308c21494a55d9418a51beba069fc4ac11ee33404f6b7c9a0ba36942f0c78511b3002653afd329a649b783c6ef90b5496c118
-
Filesize
11KB
MD5cfabc9e91e337cc9aceac235bef3e534
SHA1a60828d936a90f8e54dc5accc30e4fb20ad23496
SHA256dc06e88d4bfa5b6620d7a1c41a7a13f8b2d8ca1d4ab244a99cc5179c8c099919
SHA512c88a3562ba0486798f98d6692c570a037307888aebb6245848a16379ad5c2dcb7236d6a350a5e278be2e912daeb686e50231bac7e3a4914a6013823c5d407b6c
-
Filesize
8KB
MD5536523e8dec0164461bde053a1f55f6a
SHA1aaf8ef3e53093e4bf6317526f8fa1403ccd4bf39
SHA256a244a46750a920138633e88f25658af858fa98f1c2c44ac422e7f080ded202c8
SHA512a0f0829c51dae2cf162abe4e959619d0687a8f108d8ace937b5a99f5f74679f244ccdc8d616ecfbe5a51e501a73d437de5178ff9e1c2e89a3f7023d5b16dea4a
-
Filesize
143KB
MD533b4c87f18b4c49114d7a8980241657a
SHA1254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA51242b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
93KB
MD516ea75b2fad2699969c4119ccab1ed7a
SHA103c56799655e912de128b7be20a7b19184bf3f16
SHA2560b5d6d6a29a7bba4448c98491446595e9775ef9ea85762172a3f3e12e8dfbab2
SHA5129255792e6a9f69cd1cf088b38163db525bc956d3f09544e53f25951864e4dd9ac27409cc17cacfc7d2a814798433694d38d10f3217b69d3ffa17273f39dba476
-
Filesize
11KB
MD5ea03c45f4b0cc732d6cb684fe8dbb10b
SHA11b6d29c21efa960dbea5ea8b3d21968707da6719
SHA256fbf44c1d8a468440ca7702062abbf0eb674336df154778009be2ca63ec0fbc40
SHA5127abfdae3023b8e1ff3ab46de7d6b17c78dcde93958a9a270caa3eb63e00848c17f130428d10192d97b96a0b0e80c1a6cfae27b0c10192672390f1a137b4449cf
-
Filesize
11KB
MD53924a558ff3428d5f8a6cd1672a93e60
SHA18d477a4e5286d7abd2598c5bc6edad01b51b31c1
SHA256ba2b2dc3ca6e90d6e59a089b251d1efe7bc390a054da9de1e82124ee1ea2ae08
SHA512555a2a550c71a3645e1982f28b85561906f6bd078307466f45798a39ae19a8b6477345bdeb053d71b2d29cc1bfa55bfd7366a42b2825c6e6a25e5cbde7715c0e
-
Filesize
11KB
MD57231d3396c967f612c90d5b1126ac586
SHA134c66ccd139238e6b856cde25de95aed208f9ea2
SHA2568b6e466f7674100880d6a04bfe479512b41a912afff0bc7f11fd6bdd4934fece
SHA51207035f65678d83e9d9de5b5b32df6c82fd5c6fd8319d5ada51f139aeedbd9f67732f778d8749f072c8aa67fd5fb6e47456e6a4d678cb756d265097c67694fdca
-
Filesize
35KB
MD560c02f1d0f2994442e7b44daa57f0911
SHA1db0825f71648fba278466d7bd8142cddea40bc20
SHA2568c61317e3d80de37dbbff4a463337b61b3a81bf2e76ee5a5367a4ce4a865b9df
SHA51296442be20ebba662aa39ddf2bafdc1e6e8a7f96c214ec3059945333c3cea3ee9d1e98a6f2b10d10ed659457121d1c83faf51c5d94493263ce52e875c43fccfe5
-
Filesize
86KB
MD5b97c378347bab4b4f9b95483104ca4b1
SHA147d2278ccecd23a80ec818652182cee5183f86c1
SHA2563b244d79cbddb8920ec247f75b994e1627c8d73f11ef6fa57ebfd820288a2c75
SHA512691a5f0637de08c5d88b86af5389738a042b9307abc4cc557cc0d7a86aeb2f68674b1febb6908a3abea5b05b3067a1eff6b0f12a657cf45657b1941a278ac861
-
Filesize
40KB
MD5eb99d8e60e8618f71d43a955beb54af0
SHA17aaf67ef47fe1a1cdd5a4bd9e2a19782151356d5
SHA25668c65082c368e74a657a48d5feb260faeb230ac22d72713f52b08cce282b074f
SHA512a5e477d097d62653db5849ab35e6d2a457e1c35fbf571a6ee4011129ad489f0b1964a48f68a9987beaffb698918aa31602ada2cab0d617e003ec5da94b30611b
-
Filesize
92KB
MD5ced82889e4673a5a49ef832cff453b68
SHA1d9838c29570d6629681bb83343805b4114ee7690
SHA25687a5950b4d3b34642118b90483fe04849fdd53adc7a83a112f9092c76869160b
SHA512e23a91ff8f9fbb6e39a6e75714c0ddabad0bd0e337c0d6cfffd26cad9d65389628bc1cbc193f90eb7f132b6bb9751f5af434500acf7cdc9404cfaeb00741425f
-
Filesize
9KB
MD5cfde3c1b2b31dfa2fb357f4837067d9c
SHA185d604ea9ab8075600fa22ea87011954bb5883d6
SHA256eb3148f17406771258aa88a79c21205b8a8f4ccd2982274cf10398aec13eabae
SHA512a0e6d5a66b2a1ea0f095b0d3243d1d3ab5832804059312e6fc4b9c2b5a9bfdc39cfac98e420dffe1ff18718637718c6bebbbc573181a12bd9a35f7d392368653
-
Filesize
8KB
MD5de88c0189c4e21efb7310acda6dae228
SHA1ea824726ee71313a5a071efcf87de493147b88ec
SHA25662747b47eb53dcb21c5167984ccd2ccb60ebb8373811aaa1acdf77ad44c4352a
SHA512de381b9b964a48fc64368f43d8bd1bbc1765ac2f90e8ebe60b57248ebb34c25c8dd44d8b53788187be0321705c19801bbd91f3930cf604fe360155814dd4fbea
-
Filesize
8KB
MD57767d246883c1cb5e7bbd820621c7fc1
SHA173d6d95f469ac083c2397e1f0f4c2fd76050da08
SHA256693fb8113335c57d24e7795b6292460058a1d7a30d7b911df90cbb50f1683cd3
SHA512a5feb6bb2bcdd427af3ca757aa41fbd4a98464408b4dc48443250f6752c37820ca0bf48c213374247998c1d4e63ec6b6d1808ce8f11b1279ec6703784572e4ce
-
Filesize
9KB
MD55e6bc937ca30316964b89a5e7346fac9
SHA1fd5450f7bc88875ad08162d8a7cf890b7fb11f7c
SHA25679396db8bdf4701bf02862066cce89eb2a817234d808f479901ad7db0337a5e8
SHA512c86f381abbebfd338d678f366542d75191e84127dd511c943be42f36cfbb8c2689261b7422b92f81d8108f403bef373581954f075b55eb40a6decc41ffa504a9
-
Filesize
8KB
MD5028aaf2081dbe1974fb2c4850f033a7f
SHA1de2a6d1910f3bfde39619b11481e0a7658727fdf
SHA2564075d37aeca75511edcafe47b780cf2ed7a373574b80a230875c48e1b8d87aa6
SHA512ade89ec913e51a286168d14dd9f1cf8531d231f75c3db33bf58a5d53e9db6caec09053e1d3de66f986fca9fc4d10a00a1f4620cfc53e93034ca9635444f19b41
-
Filesize
8KB
MD5031320b99ae05c663433078d16b05679
SHA107e667668fb4ffa5f4d2feac6619c20afceddfb1
SHA25628239eb74d25c2d95d39ddaa1ed99c7091ae1ddf8423e55d4eb2e8de0544bcd4
SHA512a20e9c8ebc98a8e26365b14caf29ab37f2689043ab80d00bea9989b38d28b2ea20904daeeaa5037f43126ad0a4c5245d30cf35b65ab94480d4627d8d6818ac6a
-
Filesize
8KB
MD5710f1a543bb6901a4bbae6a2506ada52
SHA1943d6341c5121dc3ed12b0b405236b8fe3611f05
SHA2563dc4ee7282af38af54e00130ee3cbacc903b8f5c13056e5fea6f54fd1e0a3018
SHA512f88ff2c73f6842d42af4226c4558c83a3a518525fdc8409528f8f2d495c32b2e72ba8c89e51d7ca8caf8eef929d818605d1ce210b63bc5eca9f7d6fe9556d436
-
Filesize
14KB
MD5de7d68f3bd35caaf0be694f34cb84aca
SHA14cd5f2805234ea6660d1337dc8d71deb5779c665
SHA256bb7c8ef889962a672b1ae6ae291f9c0ea0d09088199137e5e8a074e646425bb4
SHA51204091b7c43feeaf561ce0ec8d08963f0dc7f28cb2f3b51e1a3a7be3dc2e2e7dd9c03f6ddd81676b010115bb5225beeff30b7a935a3cacc5917d746cc6528c3c7
-
Filesize
10KB
MD5244a7ff1ac1bd99624f6ba5f04bd7f67
SHA18179c442c820f3cdb46832947a0acb47112a88d2
SHA25609ee69150bb69383c9bca194d1318523f52293cc05f77f3f852fa92f52b34de7
SHA5126d6fefbb396d8c1f846c3f65fc564a5df233b6a46bb05b44b4ff82bc1b5d565d8328a4ae3759c9c92f59656107acba5106ba51d1253a0aea29363bcf8d96f72c
-
Filesize
10KB
MD515dff3e506cb5bc9c483697ab0a4800b
SHA1690ebff49e2c70061904d824c060b5fdc361f0c7
SHA256b872f4cd3163f4ca888b72aa31669c001f48c29074d1ba360b4fdd0b30a16c98
SHA512f32c88596a8bdac11a148ba815f88f257a42041fd3a310704c24fd70fb56f45750b02c6979d90156b8ece74d887b4c3dcc619ecf9307783587f1f68bcfc32a21
-
Filesize
10KB
MD5b46ee5ded76537ee834c8e1e7b3f642f
SHA1ed371883dce58fea14eb8c2704b10cbbccc2e33e
SHA256f68cff0be695c98dd1fd147b526781880fb9081c698e33d16645f570273b456b
SHA51245c72f7cd4dbe2d50ce464bffca8499c6acdb7871435f888bc5a60e6a3a50e9c0581ea4955cf68be04ec1f6409c67e9cd5cbbc8e5f25b272c78191572aff5032
-
Filesize
13KB
MD52144b79894e89590cfc51453779e53e6
SHA14e2562de9e5ab9a59a8801027f63868ced63d53c
SHA2568a322115af876528b8f6f949b61e37dc898e839b813b4f99c5c2e3d2c575fe2d
SHA5120d2fb8775db026c70b393334c3375feb3f9838891ab03d012cc94dea1c34ab7b0d13c851353ddc0799623e15155b8b8d0e7c587adf2d45880d5c0f99fb45918a
-
Filesize
13KB
MD5423d1ffa774660ba5817afa191cda7ac
SHA1b43934413d24f5bc6038ef9a07c461ac9541c644
SHA256aaa63100343d085e8e35ae379834720efaa4de6d9572e55a041916a40a909bff
SHA51256c0b437670b78d6c9ad60b05b2e1d1f9e5e77c796052a19c6412cae15750565716eb987a61dafe7410044eb1269cbfda26dea53a4eef533149ad80b85cc165d
-
Filesize
9KB
MD59b18bed1d2932c44bf54062aa22cfefa
SHA1ba631e4d0d7703b49f21f5a65eef3a0bcf96f660
SHA256f719909aecd69a09c0a498dea953923ad4eabe14647adc6c4f7d940dc825d695
SHA5123fe54800cf8860780cca987ad913796dfee66b6480bf48838058d4cc30336e4a8ecb856a18b29244b122a3812bbf6f95b6b20d355e1e2173d473a859e9a55a91
-
Filesize
1.0MB
MD55926bd24cdce7928adafcb73435b43dc
SHA19f71b98920273f0df3b30f0bfc05135cf63d848d
SHA256719aa4323c481693eb73c48e9fef11851e5158ce107a75393af7a3f4c87b986e
SHA51219e783d7010346bbc25ac6336df7a8477728282439456598de556e9f59647fd6d88983121b6f1071377d63f5ef3fe43daed0d08799d2fd055a72637400416237
-
Filesize
40KB
MD5c9c6881ad07d3f2d7a2659710227b062
SHA1abf9ee8af14341cd8c37e2ae592a0a903ae5f073
SHA256e2da45a646aa2521467cb25f88aef52e3a067c4570821fa8f76e74a1cedb2190
SHA51200076797a5312f6785b6a64a59db9492c1a7dd6163f142dc858b6bc65507ae6826144fdc64dbc14c72609e50968df0c903f2665cfc2bc2b2eb5c4e87e63bc11f
-
Filesize
191B
MD5071179a85937fdcdd1e7853647b3295b
SHA186cf73d4385e9fb7798ef111fb2216575a4f89d9
SHA2561b65d87e4f452e62e0365924b15814b10a5fd685bfe1b780396684f76961fdd6
SHA512dca54bf366c81c512430fc49eb6c882b0c71da95cbf9b75a8c8a061a9b537a00033572900aaea0f5546f0274348f462284c1e344d5f3bc53410e0a308fb9f6fb
-
Filesize
3.1MB
MD5f00e2a0e9f7ec6e13e960670d7bca9cb
SHA15e27881f87bb77136b21229a6fb67e076d06db40
SHA2568dc2e1698909f50c91cc2199a13ce29931f80856854845e27541840e3722df81
SHA51285850eba79e82d11f1b258ece3f6e4894dda54e1ff63f45890d9ffacc7b6b171ab9cf5b1c7400fb7419599a3f44657346adb8cfb36924106f0f48794f3109aba
-
Filesize
24B
MD5e97fad1a36c0fa03ea46e8a8a6e5da1a
SHA11febf8469161b6d435c8e08b28b599502a207ab7
SHA256b8b17538cb450d83232dcad0019c28ea7b5ab3d6a9b16dbe30c449329fbcd593
SHA5126c1b8b00f3755d309b562126226687da9f10220c1504479d2a5525dbdd8864c9a37e9d3392e47adde3ae8121fdf5e787ea3e581be3e89b3f3245094da85f49ff
-
Filesize
143KB
MD591dba54eca40d3cfaa3ac78a883363f9
SHA161743c077f10a80b42597a3a968e1b40b52203b6
SHA2568bed1f80f0f88ae90728d3ba3e13b49c408b7642667a2550c5724638d1252cb7
SHA51272993a8a886fa740801b3a9c8d7a7f4fa7ca1db898039728971f1c7c2e212007f374f1123b527dc3c75d3cd454943639435a0b29194fad990cf16202bbce4e68
-
Filesize
19KB
MD54e92ced559ff6f26d238fc5393dab39f
SHA1400983302371c5a7ba38e3dba8fbc4c5f8192018
SHA25637ab1ac8eafeb21cdca5418d01ee65671dacad3fe206f13e8ddb5b199e5ee471
SHA5120c77f4392b804a0f47e6c535ac7497182cd4a47e19d1d437d15d73ccfc03bb8febe45ae01965eb9e70a77059ed271bcad210f5495998c75b4ec46c1858fc14c3
-
Filesize
19KB
MD55d26652b0f420ca6ba2bfa00b84eea38
SHA18dc1d2a7cb6b857344c120544f842fccdaa97e79
SHA256654efb9ccd7c39ce7992616f8aad94e5855f01a3b1ad5dbf21710b1b6d24f00c
SHA5125e066b399ce519202f2dc8299787ad47bd37467e85598489489bd5f0f49c424518ed6c4e89cb6ea44c038ceec9a5169aa0c1afcccb0de55ea805e1e0641a7419
-
Filesize
19KB
MD57717b3eae55b3ec74f40699c1b9896c0
SHA11483166af6059633de2e20545bc3f3cb6f035304
SHA2568a24f850a71065e93ae80d3a62903653e1aaff9ff478e05831f288761e4bcc02
SHA512c988f566875ee73f0e568fb90df423424d9f3f237ebc8cda6b19e6b685ac778435a4fc654ce923a70090579216f6afb14a5663381c505ceaa919ebdda97b239b
-
Filesize
18KB
MD5c9c8df325a05d227bc32a5d854713c4a
SHA1cf9ea69ccebd1ef0bd46beff01254a02c5fb0131
SHA2567a2ada59d84ae17791ca23ff010f1251d98a72df15d1c7355274557349c124bf
SHA512fc38b3d241bb8315202d2b40821d9a8ca4075ad7ccffe60a97268805e9cb00e83e6136d872f248661843753415b6eee22858a7de829cf60affc4c89c3793dd97
-
Filesize
26KB
MD5ff34978b62d5e0be84a895d9c30f99ae
SHA174dc07a8cccee0ca3bf5cf64320230ca1a37ad85
SHA25680678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc
SHA5127f207f2e3f9f371b465bca5402db0e5cec3cb842a1f943d3e3dcedc8e5d134f58c7c4df99303c24501c103494b4f16160f86db80893779ce41b287a23574ee28
-
Filesize
77KB
MD5fa9d0d182c63c49a4c567f7c1652b6e6
SHA155ddfbe80762c02f9a9c65809f9ec3ef8f7f2ccc
SHA256e9c4f5eed186cb129c527c4b8d67d163ea2f2396e9d8b96e30b5e7c12203ce84
SHA51258f468c982ab66930ff37efb5a941db116e8c1aed66ebc23720a7b18f71bebe1e929bea76680294edb25f430c23d520b8a87e3a22064c5993d0396819a21cbe7
-
Filesize
25KB
MD5e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA12242627282f9e07e37b274ea36fac2d3cd9c9110
SHA2564f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11
-
Filesize
18KB
MD52f679e46823cf54660405eda0dbf0842
SHA129fdcbd753e36022b6308425dad9323e5f3472fb
SHA2566c9e8a37d656c8ee738cb0db392d49e908505a82175266e072a4552a7c98adcf
SHA512f07fac0e45c87ea34fd1e9354fbdcaeb61f0a52b23cfd993def3c71f8c5d7249f861dc8c2dab427fb93e2bfbcd156d2f0518faffb91853e70530e2ad71e4cef5
-
Filesize
19KB
MD5ea1fc85ccabec5aa1ae22452afbafac1
SHA18ea9da27d9335f80c76867837688218b78311148
SHA256f3d814678daa95c4609d723548edef7a76bb87423a4e78a20e48fded87089483
SHA51242a8c0fd58cad8765712b0379a9ea8adaabaabfa2fb5e2760756e0cac80c30484da491065634aa406ec6fd2ffef0dcb386fa6378e191afb6fcb48a7845c8c479
-
Filesize
18KB
MD53f14df8e4be6100673090c43eb3c3476
SHA161c1e35aeb6cb477077416f050c344fb18f5f87b
SHA25609eafe24bde0110f526b49001d97673e533ffd9d361d9be9c4b511eac4dd1bc2
SHA5127988759407514f6a6d3792ce58c582420eba75bb1871d8392f0f018f403557bc99d665c7655f913c9021d6ed777f7bb8b3d12a52ba5869abf48ea29e7c2d977c
-
C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-watch\8.0.300-rtm.24224.16\tools\net8.0\any\fr\System.CommandLine.resources.dll
Filesize19KB
MD5aa8eeb801d74a4e562fd8c044e03fa8c
SHA18653841bd62dc74f605f608ed8f354dd692faaa2
SHA2567ad12924769e5e85266ebd510fb4be141cf5092f0f8988345f80f5bacce0479b
SHA512388ad6fcb298ad170e45f214ea4b1d1e5844efc1612800341a4b1b651ee3ca25b4bcdf541bf2f8f0975a1da50dbe8f60ff8651c100f8675b9e3ce924b0f08db3
-
C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-watch\8.0.300-rtm.24224.16\tools\net8.0\any\pt-BR\System.CommandLine.resources.dll
Filesize18KB
MD5c7f0f7e0a7562225d7b60b88459bde92
SHA196c432044ecf7d346e09c6c46f5ca163396d97f8
SHA256516e73295a8c886807ef125de6dfdcc3b783133603655c7a105b38a953ca3353
SHA51205cd9ad86c824d498ab7e0be7656c233cb051b056dabefd9d037923f7d3a1bb967182f575dee89896c47912fca4a2227c56f8f26f0c2949ee18a38d7e041b999
-
C:\Program Files\dotnet\sdk\8.0.300\DotnetTools\dotnet-watch\8.0.300-rtm.24224.16\tools\net8.0\any\zh-Hant\System.CommandLine.resources.dll
Filesize18KB
MD59101e8227a7ab83cafd27e4ec222ba10
SHA13a80807f7cd695bd9258eaaadf8b2d7dccefc125
SHA2568508d85c0fcf1040b05d2a2f0c7e4f74ac476f9a46f414e05e8d47d565367e5e
SHA512e017142f816299ea430a980db1b15298e4f45b4d8264b06160194061f7cb9c8cd3c9a1a8976eedee1f67d6a94b6a393583909c7c167e4407a5c47cb686f23412
-
Filesize
340B
MD529b1d428243138af5176ef6b2c1b2c99
SHA1e056c83aa5dbbef653ce26a02eb05eb7e54cdc75
SHA2566359ce84d5ca840557e9b26b85499f2ac90dad7784cce1071b3fbdfcb3aeb7ad
SHA512063d2d52f6bef27945a31949c1cbeffa23ecee8d6b225d7f64189ab1b2fcbd4387cd4cea17e5a0c3bb32d14fc80417f7a4a714742c03035e933fb888fee9def6
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk.Publish\tools\net472\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
Filesize
627KB
MD563f1d0b53ce47b0ac3216281c8bcaf24
SHA1090cb7392ed07a94d237b5aa2175689faaf49b7b
SHA256de069c408673e62b098d6e37e64fc2308f02f3f16cb45e051c08b52fe2d104fb
SHA512386294e2602642204ec02ff514d3064ddb7ccc6f56e955176b09b23bece87fbf29c12a532e13b77a918842b05b171fde6b4d48c7f6567928d9337a3883fef521
-
C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk.StaticWebAssets\tasks\net472\System.Buffers.dll
Filesize20KB
MD5ecdfe8ede869d2ccc6bf99981ea96400
SHA12f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA5125fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741
-
C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.NET.Sdk.StaticWebAssets\tasks\net472\System.Numerics.Vectors.dll
Filesize113KB
MD5aaa2cbf14e06e9d3586d8a4ed455db33
SHA13d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA2561d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA5120b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8
-
Filesize
24KB
MD523ee4302e85013a1eb4324c414d561d5
SHA1d1664731719e85aad7a2273685d77feb0204ec98
SHA256e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4
SHA5126b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32
-
C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.SourceLink.Bitbucket.Git\buildMultiTargeting\Microsoft.SourceLink.Bitbucket.Git.targets
Filesize297B
MD55725a6d47308db618d015c3e55dd499c
SHA19b3e1ac8d62d522505f57fee89a249ac33325edd
SHA25661af182d230365161e831fc573eaa7a2c9ea413e01ca2c446e3aa623e3ee37a1
SHA512ab4ff2bd624295eb15d22377bf1c1bdee135f24e534cc40e86cb569d7af846c990552bd4947b32c2bc74bd92e6ec42bc775e4954fd2142af89c2dcc75fe5f798
-
C:\Program Files\dotnet\sdk\8.0.300\Sdks\Microsoft.SourceLink.Common\buildMultiTargeting\Microsoft.SourceLink.Common.props
Filesize295B
MD5a5dcc9e5bf323d748b26652e11956905
SHA17f8c7a2523d1f4600e0f8bf347d10564cef36780
SHA2562ddb662297ebfb51e70bc61ca7695dc62124a1edd342c82e87e6302cc03f016c
SHA51279d324b12b375ccf888828fd64c303a669ab00657dbf6fe76bba522c7683b7aff8b0c216905fed00284ddf8841fabcf8e2bb64b6849956572d11bbbc8e1540ae
-
Filesize
4KB
MD5a22cdd3374234d3a50c2ace2dc33a63f
SHA1d71bb2417cb805c3da21ebcc0e1ae5a102823c9b
SHA256b60b80763571c22739c4a688a46ee12c65bb66d1e9ac7d0933c2e4222e618874
SHA51271d27f36a5b03c6b470f720196d3d67706f47f3b1d4f88f55960676b3a5024c9ceb1228e7dd6173d24270af556c0d3898fb5395e3823801691deac8ea6026d61
-
Filesize
18KB
MD5e771e643a2f47b5d527aa4dd1e857aed
SHA1ddb6ebbdc354122989c67ed9cc2555da640b16e5
SHA2568c4a1a6e84875ae583fc032a723e934f0d8805d452b43a81b4eec624b5ea7e15
SHA51214d17e82464fb813ff044b4e5dad1a429f0fd8fc5973ba2bcdb50edbef7e129048133d99b5c50f86a3f82d33b9faddbbeafff222d92b80e31ff963345c4b29e9
-
Filesize
19KB
MD579e57433e70b5a0a300303dfc5d759b4
SHA1cfe5862964f3b389cbac01e157e9ade0031e45ef
SHA256b58c35c328c383e3461c3ea2f1f0c46e7a48446d863f2c2c63f42aa466e002b8
SHA5128f2ee3b02c4bee0483ed702d283bd9e513917044bb77aa4412dd85de501a8a52c966510df948a9f5f36177407bd111633047686d727fe32de14599e17b229de4
-
Filesize
18KB
MD5c182eebde556be386ca5b656974993fa
SHA1864aab5c6e71bc3537612c2541e7737d02e6f4c0
SHA256d8682c24396dd5093f4e4bee6cc021148ed2558039b2682bebb60dbb95db56cd
SHA5123613cf324c708564185f021404215202dc2fd5340890db115bd906716a9ce74900aba954c68ab13900c79bbe869b916739157e426a0196c1843426beb9d4ef52
-
Filesize
992B
MD597bfc5edd3c99f70589a286a14d09989
SHA1bdc25f1adc9adeeb65691cac6ef5ee310dc7662b
SHA2562753ee87b488866f3013d903b0109ace984ae8dad3392d87feeab53e14d0fadc
SHA51277f1c63ba9a782591c9afb7696a46c77aa874b0a879aaddddb5f55bd23df555429c63d2b2f4219e6c0abe5a9e1825bf4e22469a7337fbda5fb06161eda1b60e0
-
Filesize
1KB
MD55cb90c90e96a3b36461ed44d339d02e5
SHA15508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA25634c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA51263735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4
-
Filesize
871B
MD5386677f585908a33791517dfc2317f88
SHA12e6853b4560a9ac8a74cdd5c3124a777bc0d874e
SHA2567caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0
SHA512876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
79KB
MD5e51f388b62281af5b4a9193cce419941
SHA1364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA5121755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize672B
MD57f9e43bd60f6c4a01eee24135d1af46e
SHA1248b9b30dcc1e72aaeab47cf9e637eface3d3cb2
SHA2565ad8568854f7f8565bdb8f2212286ccd52e14881df73eaadbb2c5b3473b69475
SHA512067d2145ea3583165b935adc87ab7e6170f8ebb1b4714a38e58b31ac47ad422f92afd0dbb927cc94d91c01d3273cfa86afbb7c9fd4af6c62c5f58f4f2572651e
-
Filesize
1KB
MD5b009d7d5f73f6582388a6f7a63fa67d2
SHA1bbe691ec7d6d322e01dbe3a8ab200e1b47888555
SHA256ba1301cc14059829fc9c921933e7373aad6d41a54756ef6ec57d7d6ea5b5ec4d
SHA512b2c774eee0b7040de2467c600c8829c843005b19ea6db0e4976b3ee7c750e36fcfa30664643f075d08c786e921d3ec327d278a8893fa64f9ac9c53bb34e2e623
-
Filesize
979B
MD52bbece15b03af95e4a0ffb953b3b6cc6
SHA1d57cafe9b0223d5a4ca4a434caef6220fe452412
SHA256da8fd90b899e153115736b4f1e48d69a85dd00792d4cc80dacd061cd43372000
SHA512d2ee84f067c24f2b44c06a84def526509863f00bb7132234b8e2b65e0d02cd37a083d8bfc4e2af55bb40d12f3bcbf0e63f434244c583fda6e3b46ff6bd7a306e
-
Filesize
1KB
MD59c90377379be158e3c75986ce0c3e34e
SHA19d07a94e1aa3e6477c7da1eea75a533e4b93be03
SHA2568de627a4a41f97c2ace4d73e3feedf7258f19f5ce7eb58d83d8c21dcbce484dd
SHA51260f9e7d072e1b7bdfbde6cfb1c973d392f8e21d95401d6500c39686bfdd63b58091ce2d8e4d4093b5790dffcc7fc20a48f6178b99318349c8b6dddcea5d7b21a
-
Filesize
6KB
MD5dad1169fd1b5a77173c8348516b8e3fa
SHA1f6fd8d3c94eb4aaab412e1b2b19327d424eb8e11
SHA256520cb76daf8bae9180c0fce90247eab1cc9fb0774a69d97a2d20d46b683a3281
SHA5126988a7fd185b25b7624939ef84cb6e466873e6dfe95af680bfa42174420a2ac9fe88aace08e7b5f04adc095b9c5084067a56a919ae55b5f54ccbccb192e2aabe
-
Filesize
5KB
MD5fa6961b6c2ffce2e800a1a2a569099a3
SHA17e15ae483663f345f4d3d4a22a629c92ecde143f
SHA256a2adfe09bc784b7c29e3e809f2041722324dbf130807babd265bb2de474e95bb
SHA512595fccc3ab50ab1c62f9435ae339ab898626315873a8d0516c8c702ba287f9a63d1f60f0c4bb6a4dab08c84bfe232607010d27db91f5abb3778e97a6445cd024
-
Filesize
7KB
MD539122d2f8ffa3772f606567f47a8cd18
SHA1a6da77d0be4fcb53886720948075070cc54a97a7
SHA2565771d4bff035467a03e3875c178b8c42b276bb6b3dd20b16aff2031a5ef9ba43
SHA51218d83f90b5057cc9b64359dcc286febb4d3af3d3075fd8e4b1922132d69df10873025dba4ae24838d8eeebd296199c682b4f05174ac84ba741dc3aea6aa31428
-
Filesize
7KB
MD502520cf0d32faf36cf1b3dc4a5cbccfe
SHA1dbef7aa84a6d9a1ecb14596402af11753aa610d4
SHA256e314c47f35713800baabf3cbc2f3e91316a98b18797933a0bb44bac16839acc6
SHA512d981a955358f01d2de325cc4129ac93b015592c24dc49d73d4ed72f2d049e30a37fe6db8725b98e4994577b4af06577d1b04b7f654b3b38af9f3b72e50b28eed
-
Filesize
7KB
MD5e3d68c204c80041c9dc32bcbc44627c4
SHA156292d26bf685fe8188be4fcc58f0f33c0840732
SHA256951e359b438d47d1cbde508def7c31eb8dc7904febcc15f70604d366e8f1a5eb
SHA512a7f965ea9f197f53111e3157dca62d20ed47d6b32f54f4730dd677b22f2e17761f80174b3acccb0f8ada1db178684356baf20da0c355bfffd092e92bd340a9e0
-
Filesize
539B
MD509ae786aff14d21baa84f433022decf4
SHA17b4f2ec18a2880cf9d4ab007b2a92087b5c81d9e
SHA2564d3d869624809eeaf621207c791435002005f189b49a7e0ecc81eb2d11a2079e
SHA512fd007ff1001f9146f9d3e017d030d06c8b5db89255858f52396d1d93077a73f196baa0fab77472632d00858119a4a65e0f4c386ba7a149145f836096c4ecdfaa
-
Filesize
707B
MD52bf7eb081904dd6f51e09bfb68d3a438
SHA133d80575aa509953a3c7b69b1dd939c94200ff78
SHA2562b669fb34b82989ca9bea80c9c6030014cc4ad379080d957321d623646c43dbd
SHA5127430961e9b2f396bf1cd01bf9014ae9e3620cadb098d397971faf764284ce21e0f816691f84ac996a2c6d5b0172e23b5f1f54ef7a01d8cdfef89869a627ee5f7
-
Filesize
707B
MD5b67908e0308ed715bdb2f44f55cc5783
SHA1d9c94ddd7414d98c01bd3db352fd4b1a716bb960
SHA25659c0a6fbb54789c95f43d0ebe078a587fc10e6c3d5f287a324aa45585fc960ed
SHA5123eb95d75765277c6ec643c2cddf118bb276b404c24b26b874e3d077a3e629f6125cf6a0ffcedce2b0358ec86d543bcf2bb0ce9889acb0075e06927c8c46c1284
-
Filesize
539B
MD528923dfcdc22f19773cde9d25085160a
SHA114cf9ee8e4f9bc88c142271a5b2bbc0e6f865875
SHA25629106b45b6397f0e8b45130194d186cd23c67cd635264ce973ccd868b5e760ca
SHA5123a16360c07f5247b0c7c64943489677ebddd5dca626748b6f8e3fc84ea7590fac784bc84ff5f19f0599858917f8ba891268393330c2bc23f3c6508372434fe8c
-
Filesize
371B
MD5ed2db914561daa438648c0c3395dcbe0
SHA110928ae0c7351ac88b6cffe646908799b215d7a1
SHA256f3610dc52d9a0da55c6ab67a87420cb3eaf58be486565d2801b4d69d55681eca
SHA51289accac5963e223e082c267418754f517821373de209926f67dbe8bc7c4689501bc86628f3c4877a4c6687ad6dbdd824fbb224e51eb673926c9dc1bcaec6f200
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD570e6a2f0db8851d3b10275f0f5794b18
SHA1e729bf4bca9a172cdd97d4e8c57bc57c3ba69918
SHA2565fe8639e0465fcc1ee589bbe57e7683578e31ff8dbc8a17a83d393982efa6127
SHA5123e296f236525dbfcca69e910658fc02db2d15f0627de8ec1dc1d2e064c0b39f50aef8cd5b91d027f433023f59e9feb59dcc6bdd43485b1f1fad39d6f5a989926
-
Filesize
11KB
MD56a2337611329533bb9f587e0bd08ef8d
SHA1f91833b910dc5a90a5a0bbc4f4f8133a9455ebc3
SHA256cd24de6e71b5285a36ea4b66973869de3d50e7ce8045d10df3d6399a477009a4
SHA51240e6855e9e540f89979589abc5f7b81059eef214b9ec48477c6656c0ffc8e46b22bfd5d07fc091ce9b1fe74e0958d65b6c9c30cfd838a4d2e6af9108760dc897
-
Filesize
12KB
MD5a1d65915983958b763e37b320945f6cb
SHA1e8ae20c71cd41078bab1a758fa74f59244ffd74a
SHA256261b9e858b9ee63ed2b57d4b5f73b74ebb09f45d1d05947fa59d8042a12ee50c
SHA512b0d548408ed0c010c291e6a4cef0f32041810742391f01a05c515101e6da5a3579fb2293dcb49034502961d5de9684694325c7d47dacc736db1109914c524ace
-
Filesize
12KB
MD56753cc3287975b8c745b5c10c81bfcac
SHA1cd4ad325c75bda80ecb9ac2d8bc225989cb7bfd5
SHA25699d8e41ef9bcb6dfe8b538e47495f748f3cd7ef4b0bba4e659442987efdbc51e
SHA512b47daffed8a00c41ace4877a64f3d384c6d05979303f1cb174fd783cde40378f943afe2a0d832c8d45b8ee5a45811f793b40ffc79009e219c5ddc2e3d0c4a502
-
Filesize
12KB
MD5284b862111416c280f179f8748fdd96d
SHA160f4b20c9baab2c1a71dcc8e4217f01dc0fc6e18
SHA256a4da4ae32b9aaa72ed564282371e99d29c95de2c6560447d15347864b23b8960
SHA512a9c26b183b92f0de8c8b119dd58119915a42abdfe17601047942d7cc55f4a21a56c5b6d0b72be04b88783ce8aab3612a40dc803ed25a1d7fdd92160f1fd5a45e
-
Filesize
12KB
MD505bc01c99bda29698088d14f6360a994
SHA11c281bde3d83c8e825881252f38cca54a0ea7a32
SHA256564923dd0378cd4958e7b511beb83f76842f470204cad3e8a2164a39ac2996f5
SHA512b1ddce634807bef975a0765ad1f851be369f267ab5b03aff080203e8f3c3a2efa9ee6d54848546082dd29dbb9dc31cb963cfbbd43578bbbdf35283ec496ba573
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD519759ceaa66931b34b1ea2d0d29a0f52
SHA154ce33c4d0b156dd93f2840272cdac504096907c
SHA25647047347ebe60aef6f7be93fc2e51d2ac4b0cd7f3b7a17c9d5d052e1a951dd48
SHA51253cb96ccbed95281c53fcb0846b9fab173e5c98cd120aab63e3c877e2bc8a1e8ba257abf1f114d2decc7228ca5cd70a7f00cec2bc2dc2e7960df0fb31ad90611
-
Filesize
673B
MD57333dbbdf4f6fb5b15981557a934e0a8
SHA14a40e68c660377fd61c3903e353828784e35475e
SHA256f4bfab6eddcb44f2819092be06c7fcc6b97a77b39b8fe4b98615d4e60fc683e0
SHA5120bff18ed66afa13f6728c711151beaf7d2bdbae431a016d27f41333243855c93ae924cf7e776f2b34fef12f534a8279d6958a0bee2e40606f0b8e469ccbb274c
-
Filesize
832KB
MD5229ca4222f782cf9a4de319a507595bb
SHA131b9891f4f519bf535b5ca06093fa61c12178db0
SHA256f827c4f3ead68d8f15ba9447ca69c3119d1eddd917ef36d73494d4844e888dc9
SHA5128a572cf52f0134f417e18df92d49376b444843a8485b7ac33e0ec963c30ad55a71f363643c7da2a7ce52c3eb5eb4ef1dedf050e91d07b06686f34badc0891186
-
Filesize
2.7MB
MD5b8b51df76b3f00ade7d55cd4c7f0d6f4
SHA12f7f9ddfab8cad5cef96cb0e9991efb89e642d9c
SHA2561babeacafc7be55b72451ef9fdc0cb756c74f0cb9f8d6cc5959e731738ae3a91
SHA512dcce8cac094346deac8f9453e0d3b428b7a1a443e865b3fe6a7e45951607ef017f104f7e48cfaf9c26d1816256a7d62a8c6347cf694dfeab837810cdc5cbf91f
-
Filesize
5.0MB
MD5fd3fb20e423d639029be8a7a9b8f591d
SHA17e1c144b4028548742b1d324305f6c8a4bd66bf3
SHA2569877905b046182b385cc16a102e05b0a08495d966f7dadbaea8b39871755eb33
SHA512e25a7f851cb0a76e33de0ac37de4303b36532a30e983c71136b28b6b494affdbfe3cb4a2eacca4993bdedc6e33c1ba9784c26c303024d5c05b09d7d1e83550dd
-
Filesize
343KB
MD551da89019cd04b7e3c032638bcdbb44d
SHA15c24aa8307f624bcfc8af66e62e59314cad357f0
SHA256af8a4ba4e90778e99e4dc65b5c15f674a93572f10b562dad9428e7d50ef51c63
SHA512ffe682c4e98929448d427133e2e3094e0f98e9788cc2bfb3ad226b90e1ee4e2afe4e1d982f4d48269a7b310b20da6b6e879765fdf58bbf601206b4621a2b4fc4
-
Filesize
2.2MB
MD5bdfdfa323d578c1f668a4f97db9b8d10
SHA166e7fa0ba48988483c1601a9c2301d318639c5d4
SHA2564bdfa89047bfe08d94cac51bde472f37e3a002e673e6218fa5a5c3c0cd33117d
SHA512fe4470f25ff65df557884d131bfbb450e651b3a9151008772d903dac251e3e04bcf1aac370f1b172d3e06145bdafe8b3c5ab95a6bc565e7fbc88add8deb7df38
-
Filesize
3.6MB
MD57c1116ef335e3d57298a17a0dc63da3b
SHA14c82030db099dd24e6be5cfeada9234bcda47e92
SHA256a7a8fb604ff5d7eff7dba47b08254be021a7f4490af6de409a7475da98af98e1
SHA512caf030dce4eb52e9ccfd3d0f8746fa83429e64f8061a73c435781b5b390e98aa868f5fb08f839ce706a352fcaabce0d89b7e698955d1f6c14ff38d5bcd7ef557
-
Filesize
2.2MB
MD578a2304f3a08a66a5f90757dfb397f2b
SHA1d6e327d3a056a2c6a2b1af1f72aa03293d191df7
SHA256f3510f0c072e4c056ba514a8579f8eabcd2a4a18756e1da3d56ab17bc42ff358
SHA512a2d204d6492585d35af689673f806cd85d1030123e929e311fe06e84eb437084386f61614a9ec3b4fa135785a0b1752bac24991294b28c2ebc6f4770ef8b8e41
-
Filesize
234KB
MD58edc1557e9fc7f25f89ad384d01bcec4
SHA198e64d7f92b8254fe3f258e3238b9e0f033b5a9c
SHA25678860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5
SHA512d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd
-
Filesize
244KB
MD560e8c139e673b9eb49dc83718278bc88
SHA100a3a9cd6d3a9f52628ea09c2e645fe56ee7cd56
SHA256b181b6b4d69a53143a97a306919ba1adbc0b036a48b6d1d41ae7a01e8ef286cb
SHA512ac7cb86dbf3b86f00da7b8a246a6c7ef65a6f1c8705ea07f9b90e494b6239fb9626b55ee872a9b7f16575a60c82e767af228b8f018d4d7b9f783efaccca2b103
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
26.3MB
MD5f515c54d4ed80fe910e9ed252111adda
SHA10ca07002ca35e4f01818f9aad91b9f16ea9c4f90
SHA25623dd0b88aaf091992aadc29cf3845f09e6c6ee385395e86c6b735e7899af096d
SHA512e93af9c67e1cdafeb29abb6df9eb7ebb30e2d300f044bf6144543c1d6983f78b1e59384e43a1a1d18a1a97e0f68872f637b1fb98ca2763738ebf5cdbc36b0f3c
-
Filesize
4.6MB
MD5e88a6f08d2bbe974b89979f71676c1b7
SHA1a00841527ed694c9314f686d379a3979164d2808
SHA256ceeb7d052b2bd39fc15ffa3b578b7dcfbcb5b5a182a693afcdd6646433a3482b
SHA5127f2b4f2402a60384d1054f9311c7a02bf4c3455f979269a8c708644d74774c15100c767b062f965c2e6711c8351699b1ed4ce22894585f99e3c64956a2e6cee6
-
Filesize
29.0MB
MD52d8a9f00fb0887ffd890b622aecb2da5
SHA116c6686b4c44abd01ed814d218528fae411fd87e
SHA2562edde9257410ad2303baf9395016558e398674e2c18e9774e46c9f8cab1506b7
SHA5123c2236f4ebe388fc6276d555058d4cfb72c67612ccc947570155d10297076d748d6b1f8fd8b18ae477951c2a20d74c0994de2ff0b19ba247a84a63de8eb24eea
-
Filesize
2.8MB
MD5fe1dae231d859bb8873a1cfb4d10a780
SHA1cd11a4fc943785281145e7d94817be6e3147faa4
SHA2560a971de7da8d04d1cc0491f9d16bfdaec605dc7eec0d7e7df9844645e58f75fb
SHA51276608d7eca7df522d23636bd29439280db828d1e0ad1fdba7e22e12a5cd740ae9d7b3c90c2840085686279ce0e015f477f4d4270c944c1ab9203f138aa14b486
-
Filesize
9.9MB
MD5f8247cb4681460bacaa8c44719257952
SHA13a41a903ae164b823215b195b618c8c3dc159b9e
SHA25694b57e7393198f0fe80ccb0ce070a2fa6f719134d7f976899f710aefcbacac0d
SHA512aeb476c9ea76d3ee8529c3074125833eddfa4cf331d8ac5cd4ff3b7ed48d5c09510e4923593a880851f45804926ee40795273ebfa6cedb8c54812145f11ccf92
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
205KB
MD587c8a7ea44e8ee0d9358e25b7dcd397d
SHA10e2021be823fee499175d2c0d68346d15c02a376
SHA256b7de0a0ca3a94738747abd708e30ba1f9638a8c8b7d8173c76d4f39fae3d9346
SHA51298b5bbe5bb3ec331a0025e3da209296050b2f695be5a4b90b5c939f8fbbaada6dd93483eba779c10151546c2798aab5282fa619a55ec0cf04f56a03795a0a3f5
-
C:\Windows\Temp\{24F89BE8-0E75-4F13-9171-C2BED1468DE4}\windowsdesktop_targeting_pack_8.0.5_win_x64.msi
Filesize3.7MB
MD5ecc61fc4446eea417696e929f43fa891
SHA1e197da3c227187b67cb2343e78e7de6955bf7217
SHA2561b0a334e1ef3563c679fe7b6ab13b5b460c132ee52a95872e5de0d96d3a675d7
SHA512cb772e282b7f9845f79de09e4c74f61ead830b7fcf261db101fdab6ae374c5d3bac05961fd8f0e23a884560c8e88b95fe61f84f2485c25b99d2d80795f87d99d
-
Filesize
632KB
MD53e5623a5ff8d3523bf9baa47ba4be97a
SHA1e2c83a2a7e591aadf891364f88030880f227058b
SHA25609b93545d93cf4feaaeb5f827d91bea5581dd2f7045de4b02f77d42c9dc0f5ce
SHA512e6fd7e4f9f9954dc91c1e3e90ed24d073960e0cbad41e15c53c4bf2660bedba0f6f8405554a98bb3b0e210856756e0ef3a79d297055c4ebe822233e6657a9f65
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e