44caliber | hxxps://mega[.]nz/file/EuZGzbQZ#tuDahR2xAJClVZ3Bbg5PZONI1945IRcejld3E86WH60

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/EuZGzbQZ#tuDahR2xAJClVZ3Bbg5PZONI1945IRcejld3E86WH60

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1179477783735451778/91E5ZMjbQLRcKdVETaUeu6gs8rqwbndcwnn3va8Xyp0YomGet52KGjiXRZzapBves0nl

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 3 IoCs

Processes:

Nursultan_Crack.exeNursultan_Crack.exeNursultan_Crack.exe

pid process

1140 Nursultan_Crack.exe
3528 Nursultan_Crack.exe
6092 Nursultan_Crack.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 freegeoip.app
47 freegeoip.app
52 freegeoip.app
66 freegeoip.app
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
1140	Nursultan_Crack.exe
3528	Nursultan_Crack.exe
6092	Nursultan_Crack.exe

flow	ioc
46	freegeoip.app
47	freegeoip.app
52	freegeoip.app
66	freegeoip.app

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nursultan_Crack.exetaskmgr.exeNursultan_Crack.exeNursultan_Crack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Nursultan_Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Nursultan_Crack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Nursultan_Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Nursultan_Crack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Nursultan_Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Nursultan_Crack.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 142627.crdownload:SmartScreen msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 142627.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeNursultan_Crack.exeNursultan_Crack.exetaskmgr.exeNursultan_Crack.exe

pid	process
4784	msedge.exe
4784	msedge.exe
812	msedge.exe
812	msedge.exe
640	identity_helper.exe
640	identity_helper.exe
1456	msedge.exe
1456	msedge.exe
1140	Nursultan_Crack.exe
1140	Nursultan_Crack.exe
1140	Nursultan_Crack.exe
1140	Nursultan_Crack.exe
1140	Nursultan_Crack.exe
3528	Nursultan_Crack.exe
3528	Nursultan_Crack.exe
3528	Nursultan_Crack.exe
3528	Nursultan_Crack.exe
3528	Nursultan_Crack.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
6092	Nursultan_Crack.exe
6092	Nursultan_Crack.exe
6092	Nursultan_Crack.exe
6092	Nursultan_Crack.exe
6092	Nursultan_Crack.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

5772 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

812 msedge.exe
812 msedge.exe
812 msedge.exe
812 msedge.exe
812 msedge.exe
812 msedge.exe
812 msedge.exe

pid	process
5772	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXENursultan_Crack.exeNursultan_Crack.exetaskmgr.exeNursultan_Crack.exe

description	pid	process
Token: 33	4376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4376	AUDIODG.EXE
Token: SeDebugPrivilege	1140	Nursultan_Crack.exe
Token: SeDebugPrivilege	3528	Nursultan_Crack.exe
Token: SeDebugPrivilege	5772	taskmgr.exe
Token: SeSystemProfilePrivilege	5772	taskmgr.exe
Token: SeCreateGlobalPrivilege	5772	taskmgr.exe
Token: SeDebugPrivilege	6092	Nursultan_Crack.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
812	msedge.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe
5772	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SystemSettingsAdminFlows.exeLogonUI.exe

pid process

5316 SystemSettingsAdminFlows.exe
5420 LogonUI.exe

pid	process
5316	SystemSettingsAdminFlows.exe
5420	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 812 wrote to memory of 4932	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4932	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4672	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4784	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 4784	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe
PID 812 wrote to memory of 2464	812	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/EuZGzbQZ#tuDahR2xAJClVZ3Bbg5PZONI1945IRcejld3E86WH60
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93cf746f8,0x7ff93cf74708,0x7ff93cf74718
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Users\Admin\Downloads\Nursultan_Crack.exe
  "C:\Users\Admin\Downloads\Nursultan_Crack.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Users\Admin\Downloads\Nursultan_Crack.exe
  "C:\Users\Admin\Downloads\Nursultan_Crack.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,558027703642978342,570534718526089887,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:6124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5656

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5772

C:\Users\Admin\Downloads\Nursultan_Crack.exe
"C:\Users\Admin\Downloads\Nursultan_Crack.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c6855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
7f91c01d639b407f5fc2aa34edef255c

SHA1
e7773cf304c50e00e2db509c776ffa5be87a2d58

SHA256
83c0dc8fefa90b446093f48c736d87c3e752982b4a50b3e32ac06a55c435a3ad

SHA512
8d6c2ed763fcaa7182249d9a375590085e73ded39ff8554c801a2a0a7e84ae7e0758369c8e691d70a1bbd16129757dc9182a91e81820d80f6c377002e11949f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan_Crack.exe.log

Filesize
1KB

MD5
63bbc8cfc48981d3ca3381102d773cee

SHA1
53c379b22f7b5d9944089449922b7a88f44a78da

SHA256
b98340718a57678851ee2c958b06b70070c363d18b8b55efe75db53c6ba1a439

SHA512
81f7d38b3be149fea4cfcadfd3dbc50a233d14be450f0e393886884da6cd59f5e5a5961b8560c60323572f63592221f3855779842f2567ae45e4b25191265eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b83c06ef018f8abc3204139e102cb7e6

SHA1
c35aa209588b75b4cbb0268d197f103471db4a12

SHA256
9c3db990c28432d94fef6d3eef38358027e399d725befbb234f43a60d7f89d27

SHA512
f26495a1f2d02a81cc7b2debd33f9f082cd78479dcb2c0da0943e9159493c96d23285550416ea50b4dacf046940b61fa11bff5f9a5ac8b4f4603ed2b8d6e546d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
5b12458e80ad52966eaf8f82723b2193

SHA1
2161281eb1c5c50c9a76546ae7bc11df9cc5b94a

SHA256
261e465b74b6d7acfeeb48ecb94cb4555c9d4de42b4adfe571b2cc1ecd6ae060

SHA512
974ab67ccb7c5527e3682b92350f7d947ca7ae0cd334450f39edf4022526d0712d8e82b3e45f9793f95763f8d070309e3f2bb9abcb46d0974f45e08337b70b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80036dc1bfd69fc7387fa33c7806724a

SHA1
0e20ca80a6f5c0d0161a6a8b144581c021949b55

SHA256
5ca6eb3a27f3cdbc881f3ed2da8dfe1a9fcaafc108b49f657b75e279c92f8841

SHA512
c7be05119be69d4dd5d6e19858c2363edcf092a546fb33c4833ec40db6cdcf0a66c3b2f2b6a05d0bb83da0a918e88bb6fe300a6ab05957e724f89ffdbf48867a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5f038007e6f1634437455d3f697c5ee

SHA1
8fdbdf03108651b57017e103b3d5957343a9659d

SHA256
a085d79d4f321d621028a20cff4a8828aecc2f36c3b5ce4ae605d0f02eb0513b

SHA512
87aa6293bb8983620791ced9526a3d855fc92e2c246153c0e42094b8bd5200b4207c08f2808155cf7e72784d605258da4b0087c7c58cf004249b177e2c3e6822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c3d63dffebcf335dbde9f9877fd544f

SHA1
37eb98ba096192f3e2ebe479106955df3f3451d9

SHA256
96425deab6b52b0e3e7222cd7730f061f8f6a91955f63106d8cad24d45f9a7e7

SHA512
35935326680bea503e23e78310fe64e59619fd17de8014c9039afe9c233ae6e9745f80aa02f4edc986afd08b9dd221d675b2d20675f310753ef20fe4356ec796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a4a4ebc4d5045119938d37882680dd9c

SHA1
320f6fba2094347ff1576d8ef5538af8c43354b0

SHA256
7ceac4ca21e997dadff93afbc1cba55692c89769852555dfeea35788572e213a

SHA512
806523b9e5648c98f650f4428e6c69ff41df672ff42febd446dac9e1ee163aa2b37f6a95ffdcc16538bd030fd59951898589fc268cbc2695458b0725e73b3f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f6e3.TMP

Filesize
48B

MD5
08f8d8bf125c13c011b3b3d87068596b

SHA1
8759a6660cc528c92a053074f9afb60501258898

SHA256
f2bbc46b9a8aabcc499099cdf2e6c839e69d22d5a6130e4866311bf4ef66ffbf

SHA512
50d833d56755f1c5d6152a1cc3989076440ef5bd1e00f56ecfcf57ccbbb508a193b9072312de770e1b60452ce19d882f234aedc29a176f27b3f373cc7ef7a540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
19db490975d87b11e75615e7d7957985

SHA1
1a47809d5820405ffb2ce6c47e80a1b4faa71d41

SHA256
c43c5ec0762812bc3d4fd0a00a6e553974821fdcb973adc8a1047bb3df011e46

SHA512
040a66624792628eff9bb260568baedcbde1cd1f5bc61d632e7ccbd55721a03fa95815cdb63790b8410f2e11b2e5c7b5b2721ae1691671e9e4875334fc7345ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b2d4dbf1c67f4d908911e4c3853e085f

SHA1
49e4de4634ca79b3735370800df2d25eadb6645e

SHA256
d857aa015f0623d7c2f31c2be16145ded1d3a671798a16331d5660b4734da6ea

SHA512
1ac03c0674d2238ce7884193443465bb6b5c87f0269d5fe141ba3851431e8b942793d5b699ea05dbbba16f36c97e6492fd1506a71da2e1dd68639412ce3dc9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E42.tmp.tmpdb

Filesize
5.0MB

MD5
ae71e46d9a9c60a6fb840b70cad13b91

SHA1
2a213ae784f5242cc21d9b934706be25ce760f62

SHA256
357e7a24b49900c79fc7cb36548dd6f0607a80dd7e852bf28ebd9a9e46335906

SHA512
625dca8ad62b6cc1572d3be14df6926d18129b66198be13e215dac77f2250ca5f0400cb74961cfd45a68ddda8766364ce7454d74b8315298d6f69ef0bf83bde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E43.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E45.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E58.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE465.tmp.dat

Filesize
114KB

MD5
c3311360e96fcf6ea559c40a78ede854

SHA1
562ada1868020814b25b5dbbdbcb5a9feb9eb6ba

SHA256
9372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b

SHA512
fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE488.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\44\Information.txt

Filesize
640B

MD5
1072db403eb9f195a0e96be9cfc4f182

SHA1
3db11a9adff0075631b4cb2be88287afeedcf9cc

SHA256
09d07d94681d6077f58a9f3253fada11df5edd883f53cbdf64d72cb6c94a6ea5

SHA512
23cfaa9981888fc7dc2a3480e35537da05c175faddd1529492dafa19f65eca033e43cee77250116b0bd35d62c27ec2305b968a78c7c65ba737fa5d32f2da1900

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
fbc7e67e346a43c10b92b0664788aaae

SHA1
b30479213cad1d1a37dae72bc698cb573ad0bb9e

SHA256
ec9757741010848d6fd359892683b295ba92bb3823fdcc280c7a540697e0de31

SHA512
86f38850958378ec322725fe35185bf00cdbcf2bf8e9770e8b7d7d67a4990ea57a9523ba58131cb0a2ef1c48b549432f110e1b72867844a37f2e5a9f88cf3b43

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
3b23175a52e85aa852e0e26bcdb603c3

SHA1
0b824866b8c2ca24a45cc2fae01f069b7267bf4b

SHA256
638babf208b2ca2fe543a35af212ee7a6f64acfdc7e19ea783914008594b5212

SHA512
b9b2fbd76d23f64d5dcdf16935933431546b847a3d275e7587e093d574d18f03262fc0e52a8053c0d3ef61fddfaa7c0c2aba5a5176b18ba51e9e570d669f520b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
374e516cb7c66c8859bae3ff08789b40

SHA1
2fa19fff5f2b8090964e65205ea9e786fc4f49dd

SHA256
bccc7539b2920e4c89b0f16ba9b07f13cd904298f88fa5704101c361a6076b5b

SHA512
1f10e5a451ab5f27a1a6fd2e1eed02b383e85235f5172b5f1a6fc1d61624fac7f2bb9b422aaea0639db764f21f94f30b29fd9ac10ef5620f38c0f024f207bd57

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
2KB

MD5
16f96b60fbb8dc95cb4b91157fa3d131

SHA1
7f310b864c0369535076e32d7d24c71c86ef4a8e

SHA256
3fe55593a8b31f2304ee929f4eb66de1907653a8e66dce5383c5c565df787c08

SHA512
5fdacf035640c4e3f9e020088a8054a3b2410a06b239e2ed378fc5812c9e63cce4ec09276c2e176a566e052d7a3580fbf200ff491ad544592ba2e836eaa685f3

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
3KB

MD5
9b933c3a6393c90e1453abb43562aa3b

SHA1
0323f7340f462847f4c6f9904767c9ca6b2feb05

SHA256
c7b462655f2330c66202a0e20e14d32dc4daf330a3027b77c1419d49bd5ade98

SHA512
80e3e3c8e070c50aa775f05dadb1c1eec576c062675688c11bf897d91ef2988b03f1b403cc5466942dea582f3492cac715d68f7dc965077782de7eeae8d04d30

Download Submit
C:\Users\Admin\Downloads\Nursultan_Crack.exe

Filesize
274KB

MD5
33481e6d4eb51e5d4c62b39be8c80224

SHA1
efaf525dbec5f739c9d5dda9730b99390db503d6

SHA256
f02057e3988a5f57d96b4c34211835c34aaf5381c08e1b9ffca715669329708b

SHA512
0e36bd94dadf4b677ea8b025f76ab229630de1b533d513a55679ec2b84f9ce6c7f4da542858d033f4941782a3a8ae48b8e32847c7e8ec972f5d7c0c000839ea6

Download Submit
\??\pipe\LOCAL\crashpad_812_GILTHRZVHICIRGCQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1140-174-0x00000235F1F60000-0x00000235F1FAA000-memory.dmp

Filesize
296KB

Download
memory/5772-466-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-469-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-468-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-470-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-471-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-472-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-467-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-460-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-461-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download
memory/5772-462-0x0000020BA2DE0000-0x0000020BA2DE1000-memory.dmp

Filesize
4KB

Download