stormkitty | hxxps://github[.]com/Marcus458/Tz[.]Crack[.]fivem/archive/refs/heads/main[.]zip

Analysis

max time kernel
308s
max time network
314s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09-07-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Marcus458/Tz.Crack.fivem/archive/refs/heads/main.zip

Score

10^/10

stormkitty persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002aa9d-376.dat	family_stormkitty
behavioral1/memory/1032-1173-0x0000000000CA0000-0x0000000000DBC000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

pid	Process
1032	TZ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
127	discord.com
128	discord.com
135	discord.com
28	discord.com
130	discord.com
132	discord.com
133	discord.com
134	discord.com
129	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-299327586-1226193722-3477828593-1000\{070D5E0A-0B17-422A-97EF-EAC567F22C7C}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Tz.Crack.fivem-main.zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1652	PING.EXE
3548	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
1100	msedge.exe
1100	msedge.exe
2512	msedge.exe
2512	msedge.exe
2836	msedge.exe
2836	msedge.exe
1068	identity_helper.exe
1068	identity_helper.exe
4860	msedge.exe
4860	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2176	7zG.exe
Token: 35	2176	7zG.exe
Token: SeSecurityPrivilege	2176	7zG.exe
Token: SeSecurityPrivilege	2176	7zG.exe
Token: SeDebugPrivilege	1032	TZ.exe
Token: SeDebugPrivilege	2316	TZ - Copy.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
2176	7zG.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3144	1100	msedge.exe	80
PID 1100 wrote to memory of 3144	1100	msedge.exe	80
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 1896	1100	msedge.exe	82
PID 1100 wrote to memory of 232	1100	msedge.exe	83
PID 1100 wrote to memory of 232	1100	msedge.exe	83
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84
PID 1100 wrote to memory of 2004	1100	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Marcus458/Tz.Crack.fivem/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8e253cb8,0x7ffd8e253cc8,0x7ffd8e253cd8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3268 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1876,5417659681434744502,16950159428190908670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2836

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\" -spe -an -ai#7zMap4429:146:7zEvent20210
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2176

C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ.exe
"C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  PID:2868
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5116
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:840
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2376
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  PID:4048
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2928
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2720
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:4820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ.exe"
  2⤵
  PID:4056
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1652

C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ - Copy.exe
"C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  PID:4460
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3060
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2788
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:3504
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
  2⤵
  PID:840
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4328
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile name=65001 key=clear
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4368
- - C:\Windows\system32\findstr.exe
    findstr Key
    3⤵
    PID:2408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ - Copy.exe"
  2⤵
  PID:2952
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8db5917f9989b14874593acc38addada

SHA1
e2f1f19709d00cef4c7b8e1bca9a82855380a888

SHA256
69518d96a22b831de7923bc73ef0ce86cd8394befe8e1c20bf4f95285a15cc63

SHA512
39a70a4207338e819b5dd8dcb5b2b4edaa136a27d51edadac3f76f7de224c54753173a13a55667129f0310b3bbc9f258da0a5b9a7f8b7be6c3c45b64a04e40a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b03d35a1e3ffb7a9f63b3f24a32b8e85

SHA1
878b3c3c4877e1f132819392c12b7de69e1a500a

SHA256
832cc8b01bdcc3a2edda654aed8b35bd35b4b308f2843187157e805c61c90435

SHA512
fe947eea87acd7d8052bf802f5e1e0105379f07f84160ac51b7771c9d03ae0822b5d56e2ef09b13f0a16b53071df3001f4fe4f255307096477d3db2c9671ee23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
7d5e1b1b9e9321b9e89504f2c2153b10

SHA1
37847cc4c1d46d16265e0e4659e6b5611d62b935

SHA256
adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af

SHA512
6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
970d0e20692b74e97203d5cf9358350f

SHA1
3e45b858a775b05d117b26a317ceef16d3320ad1

SHA256
2c2ba720b00b5ea91083f203eba58347373081ef53201695e5b2de96405945a3

SHA512
75cd3e41d4094aad759b315eb56eefa1f2b3a4111899ad0da733b12ceef8157ad44d507a01705f9b1ac77c53866355a08edef8663608ec2d7753425c203ba507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
620dd00003f691e6bda9ff44e1fc313f

SHA1
aaf106bb2767308c1056dee17ab2e92b9374fb00

SHA256
eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586

SHA512
3e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
73KB

MD5
7322a4b055089c74d35641df8ed19efa

SHA1
b9130bf21364c84ac5ed20d58577f5213ec957a1

SHA256
c27e6cbe88590ba6a04271b99d56aa22212ccf811a5d17a544ee816530d5fd44

SHA512
bad26b076fa0888bf7680f416b39417abe0c76c6366b87e5a420f7bc5a881cc81f65b3ef4af4ba792aa6030bcf08bdc56b462775f38c4dbf48ff4d842c971bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
27KB

MD5
a011fbea6f2348688742022a302866b4

SHA1
75fc442f6aee39c58d1d79cbe0a1e6f43ec6a815

SHA256
832e8a4cddfe9029e29a1c247c2f4193fd2ffb4574c569aedbf10bbabdb8ce11

SHA512
ce9f91c80087113c6201695523e868a37c4f9771f9f510452b05af67c36bfb0825e2fe41b539e07f71361ed9e3409a32430307389684f20985421e0c55315986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
18KB

MD5
f896931de6d22f9c700f0db50074f81b

SHA1
eb2ebcf3d01f9c2de74f13897ebb6d8d2e133d87

SHA256
9e5b8403536ae1d1fa6df69805fc50f71165d018e6c484584c0666cbadcbfda8

SHA512
5af31d54f34830f83e232cac8132a3912c16c4f6a6b352cc88926e1f31ac45df47bc52b6e8cbc9d6aa068d7858b3b76ffacbfd50a15f33babbaac856cc7fb6db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a76cce28e7362de9_0

Filesize
19KB

MD5
f11e6a48a7e70c93c820a846cb12ed38

SHA1
4848142a6781c3a7246489e6a3cf9fdf9f801a47

SHA256
41ef9568b041bf9604ebc4f2fb766376c0f11a14d4ee2eeb7860c966363660b0

SHA512
a6f5f9936f2c8c30f57f1eb8f3ba9a9dd65678385881d2d5f3a8e8e94ff9aa379d8732c5b52d9c5e4e12c0c40680fd92b7d91823ccbfe17977bb9b4dbde0b6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d1e54804647835de7042cce30c2da462

SHA1
d64fcb29c19fc726fb39d33e96804341051341be

SHA256
7f8c09f48efa79178c5aa8719ea1262e03369c69ed9bc58d587fe9cfdb8e3807

SHA512
496d2652a7ab47037c55d361d145e6313d665c0b7ad08876590dc1f0f03e39e7d50e80bd4dd022c7db357311db2148ac0b1b1fae8ad6ad0b4e2a605b07a09851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
309ddc5064f9a7e56a29a64de41a00e6

SHA1
c8da242e129c70b24862d977b0ede6d0e5ff7dd3

SHA256
1f36c9b2633d58e51a2735d36d2b6c885bcadca2f77493dff1c9d15a3143c8ae

SHA512
0fb856a5a520ed0eb2f306251d44c8bddb75d24189df5c2ba8274c0a40f9a81b20c3a8f99368cc6347fe9c137740accd6950226c0044fc3c43797f9b5d8f2fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c01de115accd107249a60bc7c8cd0881

SHA1
e08b41747b0ba1e4b3544e13420459bf34627a42

SHA256
68d049841dec971c6d9b972a61913b0b5990730ebdb481d153d4714150ccbe91

SHA512
f8a03184e26ee533667762df593f251b846e40fef31555123f4fa49a9d8e8936da35744d63729628694b75373bd6537ca263d1e3ecdf00205daf5d0672e58293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bb5f8129702c180ff57b9926136ec983

SHA1
87edfaeba7357f4ea5714389be278b9189863c27

SHA256
1ce0495241f4dda044b13058c72dab3025ffcad7808846258cd12b7e32542744

SHA512
3bf0ba5149661974a8f22867de9a34d83a33bdc0470f7544cbcd20fb11d3582b6e3a4b4c28897acc15018d75ea370f7ecf67a86e24daea2757ef0868ddd773cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b5bc403f7de366bcbba28f65eae3dd1b

SHA1
d53b1cbf06abb7f7977fb6b4aa6209a3bbbf72e4

SHA256
f25674953165bb591e6734b8a3e9b43cc5791f35ca6d3cb42c35fb992d0c3a6c

SHA512
1a37db760e523d41f6eaeb79a0bd98a8b053d6f94bf2d53dfa8244453e7db78201f7dd08ab46aa68bbea0d402d2262c761d586dffaa3ff0d859162d5b6fee933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b4b0572eb57e6ebc67246fdc5c25dee2

SHA1
c79e11b2bf1d0e10db9a57c170d9a20c55aa80c7

SHA256
973ba03191240dd104dfd602f6cb705ad526ad18e28b8ba581ef7c42b2161d96

SHA512
ce25a2b0cdb579ddf934d86cf53f695332e95e9bc67691cf8cc8a010aec128bbbc32b93af20172b162b5cd6e7a4d5799df63b5289b1b358de1dbae74f2a2414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8809e13f08dd7f6a973124018ded3373

SHA1
cc1fc5c640547fa328bce3f6092550899d24d412

SHA256
9bffec590319a6db20317317d84568aede1c2912ac54f697b6fc8a5a15838186

SHA512
4c3ce0ccb4a063c029ac20c423549e4211e754f69267e6212ea72aa8b7ee78e7a9b55f35b6d66afd47dce7b63370389f68fa76417eeed16c58c494b448e9aa8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9bdc2de5db8769c872ec32c12632e61a

SHA1
fb7a90742cfdda5b7b07dee9ff907cfc9d2fd788

SHA256
f43235593475d3ed002210f94cac076fc46a20c4c31050bdf076ae6648a15751

SHA512
b87009edb107af876466a4575f4b020b81c1e51f3038200945021c427fb5f500f11285f47d37de2cae81ed43cd7e774f09609dc169343279fef1f4750a2660b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
66ce669b47376e2866d89994c6e868b6

SHA1
d24f6024acbf0041f8906460b7a64bb63804b6da

SHA256
64171370a5f138c599a42b6e29d02408b9c57356bd7505cfa166cbaae7938007

SHA512
fbc5d2a024ab0923d2278e979483d30470057c4f43078715bea1e873741f098a07f74ed5cfd33fbc14ca2101685f0cc8e128bed7c9a8f53e42f493854d99d205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86cc878c6ca20533261afb362749c9d3

SHA1
72aa4345b0dc86c999d1ddaf99e770cc8f650e61

SHA256
06ad4189284464d9bcee0e835bbb395964f16a2b188249ad745901cf7fce6f39

SHA512
f209e3c71038a1498ea4d219ec5c115f914e3b1bd62b2aceb1ec8d95f974b19540c8814fa39b4751687644d8fef833477f2d4ddaa537e9790a6bd8e2a84899a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7b63d26f43fedb207b032cc62b06dd23

SHA1
c06ccffa402d9be739107136f06478b4cfbb7db2

SHA256
991ae7b8d572168b67d089eac3d4a0f7fdacfe7237516387e1d8437fcec9602f

SHA512
32bb526fb387e03912524bba197e042fc02528a3b81a5e20802f5341a1bc2c6c209c314f0bac8c9b1b695da8b56d85f972f5be0dcf5b092f24d59607ad9c31ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
429b95a4c482891558fe75c35ba35efa

SHA1
4e1ce01ec3299c82b7557989e76fef5312bf5695

SHA256
0b3173c9930cab3489f89b8834c66eeac3f7b463c5eaedcbc214e421e73c5773

SHA512
80758d45dde1b6825b1a7926ed44293fdc9a348aee32576dab730e34e8769cbd5922264b6b8403863ad40c1d33364b91940357407df9d883dfa63f6a24f1f8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
31866525be08cad5217ecf7958596cd4

SHA1
2cbaf13f81c6dea4aa372a5819517c3455668125

SHA256
eccdaceb0c33dc179be7818b34381365180b1ad7ff2330fba40fa56a862d9460

SHA512
746def289906a74c094846950932692d8c0cc5b2120ad76ad3388ac4a7cb74f74ce81703103d8e918d22631ec65815b7775a47580f3f16baef1562029f97a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
385bd48402ff5e249bd2550309129e1c

SHA1
20ac1c5e629eb38965d0e0e4965732053c2f07f9

SHA256
a54bfc804d0b3434b64c42860ed4943da1b4318b0f0fe2e5e904b7268cec1227

SHA512
c6c1d3687a9dba02bad1c5c25fad0d1c4b65e129f3c211ddd6cbdf74f74b311b9c501d3679b09206a0a5aee873f39e686315bad473327b1a5cd6517d5366f9a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
141849da62a8518615444be01a8a9daa

SHA1
c5af3bae695f612bee0c1d0be096c5f865d1cca4

SHA256
ccb58d6f052b6a00fca865c01a4518efb6d18a011e53ee3d4fc2828a0c4f3cf6

SHA512
6e289608098d15efb456f49e4890111bcc95cd5ac8ca0e421a9c4f8f04d1dd76e8c2d56b98979ca8e093c404f0eda8c975b765b1ee6b7ff5a4dee3ac302b0c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d358.TMP

Filesize
48B

MD5
f39111539cc0937d65726779143cc559

SHA1
cde48b713d4a17da9b319cba6a68ff214b5e1236

SHA256
6ef30dc1d0b6051b40aafa7a811c28735e03f1b35df0e42879562d8fb84c6226

SHA512
6e5d74a9933f9b3e3786ec22d5df9fa7e7e0277021af39bd87d2b1db706df7811ac169663743a282019e4f12f296bd9659b7f1b4dbc8e7b6d9392bd4b0522178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0a3cdb214a7e02abba7319d20521d55a

SHA1
7caa58ddc4edd9d4015d6a05b31480485930be16

SHA256
a49db2213fb13a2a9c7198b03d3de736a86c1af563eba2bf08c7a1729a4ef609

SHA512
62eed805aedf738f9aa3aed8ed41c177f19757eac931f2fc05b3bd702162f533bbcca83af75f228fa30cab137be41160e7fb9c1bca47e85fc44ff32fe0384e5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04184a02565c2f0bcfadbab2e8506bbd

SHA1
eb00f62da7775616a5a01ef585acb7d92b5952a5

SHA256
b37d1d46ac0999d8b6830cd86fd960df2058d91dc37d3c55c3468ebb73120e06

SHA512
7cea0dc823b785b1adaa9beeeb96f52a1d30a46be61bd0605efa0501f9d9779fd6892bdc62368229aa4839828e89b21c529c9ffa7d5413b67640646ad72f9917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
69f10f5023ee93192a43b42f0b552ce6

SHA1
144a22d1af4cfb041b3ad798fa7db8e3e379c2ac

SHA256
689818df8da5270272821174666dcc5cafac6d5e358032d42f9c118947fab689

SHA512
dbff0e87f1600b1d3148154c883a2123c7010da031929784ebb112a87e06a5c36a24fbef1d8d1c28542c28a2401650d4c4b0e6691f18d33fa4819af6c4298c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d19cd6f01615c32e5bf015d6a518e8fd

SHA1
9b67b94e46147b7526cda0a8ca975704f704fd98

SHA256
a190221d11912ad09da570bc8d22aa899344135a8da47dea3d0cc71b2209f5af

SHA512
7796b2fe0c7a1f30357a173c4943ec7b6b286f239ff4d855e4a64811f3d5f0bf33ed8face013cebe02c43fb25d54cb3fd37937e92aa54b7fc51104e3d6899a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ed4a0f8127e381a9121ea4758e25eb66

SHA1
9b00b60e1e5ea1cef291b0bd0b6f74bc71c24615

SHA256
ee4a078f2705d5c273f40c402bca4ebf518461874352fa0530700ea4bf622193

SHA512
35cc43f621e2dc204d072d7e3f3a6f8dda13a35b8e75a23d4dff38de1116cc90268941994b68392f50354bbdb3adc68977ba5d988b694a8bc26fb3b82eef327b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588cab.TMP

Filesize
367B

MD5
35f5eb053a0e47166f78504bbbdc31be

SHA1
e1847bb60fcdc25eeff2d0a14246cf5b771891cc

SHA256
17d7676fee97a09a93367f33a6e54be545cf93b7a9ebca81d2dcf9598c1fd668

SHA512
5172ea087ce00f3a1fff09ac6ae0dd11128b3ffbc2ac48f0af9e1c22f16fba55c09a861b701b0ab5118ee7fa0a296550f502c0988a0c28c0f4179d0dcde8d735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ad504cb45fa0bc02c013b523b064429

SHA1
80012075b01eadb8190ee3efb096687f14c7e6d8

SHA256
8331f9963af206f118e7218df4e450997714a88a9869a923d3a6badce5531b4a

SHA512
221335776100cc26eedaba8afc7df440b87506841ab9f076db1ba807633690c100bebcf6d6f6a395841b4ec2cee44d254f9c71a983b5de9974747887aeb58c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5832f55308f4783b4e0b64b726c5b85d

SHA1
3cfd1ee975a7fffba9040cee5467168e731fd9c6

SHA256
dc29c6c6243db7ab3f3bb9335e4b75abc66872efb5f93243f262a9bcf4b638a2

SHA512
7fbd72824ed6689f9263e6371ce9598549494996d03ac9ffeb5c8ce01e3282d558826b8784b1267b2d2624944452e6609142a35a355675ff67190cc1c47608b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7aa8fbc40e2810d753cafc20417296da

SHA1
c1a80165d3e48437d1a79a062190f9c8552c94f3

SHA256
04e94a79bf52e200281bd321a47a867ac8bc85424ff2f0997eef5cea22543621

SHA512
3c3b3c96e565cd179579f80aec618f4c3246e2d8f8005d59b89d5e59ad0f7e43dd1f924d13d22754358730794437249f32bd15060bea26f61c880d16f48ae6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8dedf6c8ec1bb2beb8633e5e1db7b8b1

SHA1
ee38ad4e51cc767883c9de67c60342eb08e49726

SHA256
4b2ee13767ee3d324bba554e7ed400c3d83825a4751ee33b20afb1329323b4f4

SHA512
c783cb38b69a9159867d3ddc03454b0ae217a201007edf9d74e369cc3582d6df3277a70273531b017b28555a5ef95e902bf03b9d44db2c05bfdc40c799086470

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordAccounts.txt

Filesize
8B

MD5
d5f3a22de66e2e5ae394d7fb2ff28f9d

SHA1
a17d58d1c2ed96f1605ad2525bc373c3fefce5a0

SHA256
bfdaf06c736251290c0ca8bf4c28808cbcb9959e381ed2bf24bccf473382bb20

SHA512
09d3b0fe75b28f782a19e8c83ce28bbe7892da32607035569447bea131990750a7ee8973d8e4a5296fb3b2f8db93bb8eae9ccffbb414a7925b9fc22603e56c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Tz.Crack.fivem-main.zip:Zone.Identifier

Filesize
108B

MD5
2fa5cf5917705b8c002fd1f7b5de63f8

SHA1
2bbce47747457077e6a8b4fe6748c3a7f9578a0f

SHA256
e000e281f62dfc7ada63701209d902287da702d3cb8843f5fbd6d6f704ea62ee

SHA512
d237a376ad0eb61b361f46a1231f57c5b6a400bdaa106be6cd0dbe7b0349f618f91cf8471205fbb1d31ea97ddab45d4a793f71ae2fb1f4a74ec5900b488d600b

Download Submit
C:\Users\Admin\Downloads\Tz.Crack.fivem-main\Tz.Crack.fivem-main\TZ\TZ.exe

Filesize
1.1MB

MD5
e2ae7e7302f6392fdf4c02a9d596649b

SHA1
c3a1decc87cae26d9b047d246a05ffdec10788a1

SHA256
5ab491f217e2be7a96de968c73e55ea9cf14bf023c0392440fbf509a2f0e4afc

SHA512
ca8b4372a4a90f42bce422e0a352acce8e4709981f50ec1455a4f59ab749ddc91c0e7736409c40627f138b9a0703c15751262b4baaaaa0d1fef7fe4b462b676c

Download Submit
memory/1032-1175-0x000000001C000000-0x000000001C01A000-memory.dmp

Filesize
104KB

Download
memory/1032-1174-0x0000000002FB0000-0x0000000002FBA000-memory.dmp

Filesize
40KB

Download
memory/1032-1173-0x0000000000CA0000-0x0000000000DBC000-memory.dmp

Filesize
1.1MB

Download
memory/1032-1206-0x000000001CD40000-0x000000001CD52000-memory.dmp

Filesize
72KB

Download
memory/1032-1207-0x000000001CDA0000-0x000000001CDDC000-memory.dmp

Filesize
240KB

Download