stormkitty | hxxps://github[.]com/JohnWilliams8327/SynapseX-cracked/archive/refs/heads/main[.]zip

Analysis

max time kernel
108s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/JohnWilliams8327/SynapseX-cracked/archive/refs/heads/main.zip

Score

10^/10

stormkitty credential_access discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2128-97-0x0000000000140000-0x000000000034A000-memory.dmp	family_stormkitty

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

59 discord.com
69 discord.com
71 discord.com
72 discord.com
54 discord.com
55 discord.com
58 discord.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
59	discord.com
69	discord.com
71	discord.com
72	discord.com
54	discord.com
55	discord.com
58	discord.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeSynapseX.exesdiagnhost.exeSynapseX.exetaskmgr.exe

pid	process
4712	msedge.exe
4712	msedge.exe
4904	msedge.exe
4904	msedge.exe
4900	identity_helper.exe
4900	identity_helper.exe
4084	msedge.exe
4084	msedge.exe
2128	SynapseX.exe
2128	SynapseX.exe
5236	sdiagnhost.exe
5236	sdiagnhost.exe
5980	SynapseX.exe
5980	SynapseX.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SynapseX.exesdiagnhost.exeSynapseX.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2128	SynapseX.exe
Token: SeDebugPrivilege	5236	sdiagnhost.exe
Token: SeDebugPrivilege	5980	SynapseX.exe
Token: SeDebugPrivilege	5416	taskmgr.exe
Token: SeSystemProfilePrivilege	5416	taskmgr.exe
Token: SeCreateGlobalPrivilege	5416	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsdt.exetaskmgr.exe

pid	process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
212	msdt.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe
5416	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4904 wrote to memory of 5000	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 5000	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2744	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4712	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4712	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 2532	4904	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/JohnWilliams8327/SynapseX-cracked/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1f1946f8,0x7ffa1f194708,0x7ffa1f194718
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,153479855757780162,3847491456199224217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4240

C:\Users\Admin\Downloads\SynapseX-cracked-main\SynapseX-cracked-main\SynapseX.exe
"C:\Users\Admin\Downloads\SynapseX-cracked-main\SynapseX-cracked-main\SynapseX.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\SynapseX-cracked-main\SynapseX-cracked-main\SynapseX.exe" ContextMenu
1⤵
PID:4772
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW5ADD.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:212

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nlz1m3y1\nlz1m3y1.cmdline"
  2⤵
  PID:5416
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E57.tmp" "c:\Users\Admin\AppData\Local\Temp\nlz1m3y1\CSC71126B73B89448648E906D34A1DACE58.TMP"
    3⤵
    PID:5452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvhzo21t\dvhzo21t.cmdline"
  2⤵
  PID:5508
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F9F.tmp" "c:\Users\Admin\AppData\Local\Temp\dvhzo21t\CSC5AB965287EF347A8B0489D212058F49D.TMP"
    3⤵
    PID:5544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xvfs4f2\3xvfs4f2.cmdline"
  2⤵
  PID:5632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6472.tmp" "c:\Users\Admin\AppData\Local\Temp\3xvfs4f2\CSC72C419A6E48D492C851F6F50C973726.TMP"
    3⤵
    PID:5668

C:\Users\Admin\Downloads\SynapseX-cracked-main\SynapseX-cracked-main\SynapseX.exe
"C:\Users\Admin\Downloads\SynapseX-cracked-main\SynapseX-cracked-main\SynapseX.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SynapseX-cracked-main\SynapseX-cracked-main\README.txt
1⤵
PID:1116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024090414.000\PCW.debugreport.xml

Filesize
3KB

MD5
5b09c1409d7b575e9e8b1f68208a4abd

SHA1
270bdcb88dd7c42d78eb4147268a6c344ba57ccf

SHA256
0871d3e6dbf65308323a8493e0d20ecbc3057fa9ce1f9367ec1f6491e04d6f99

SHA512
5600b975553439ab41a9df0d1212145586944dbacdd7b0d662dade6c133d88265b5e4715b073f7b772a05f379617614df607c90733698b18ac65ba563cfc19ae

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024090414.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SynapseX.exe.log

Filesize
2KB

MD5
06c4aa6a973faa296bfd34782f59586d

SHA1
22f098f21ccbed492258fd7f9f2a1d7a925b8428

SHA256
c2e172ecfa58648699f995e4a699f558f8d0b3b74822317a694c7f70337f5aca

SHA512
a30fea9082495ced2c05f6683bd45502493eb3596908f973e6eca2559adf35120adefb1f690499f512b674749408b71e3da42d8e199c94500a917c66391b79a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b1800c79a0e1536f15a3e29eacd7d05

SHA1
5cd1082ac43ea04ece9e3553ec77cafbf87ab301

SHA256
0481ec514dc4bb976aeb81753d74e1e31f877db027cb2612daf4a1b0d747f439

SHA512
e7948d7862840f697d0a7dd411ee1ef1bc8d5f493ce4dd368af97960f550f44f4ebcae5c00c24906e9e1f7f7a4b9089b12f9cefe7f97a25bfebdd7c208902956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46061f31d21d682eeed2b26545e31af3

SHA1
a0a001a82b3045f008ef77e605443befaf86a899

SHA256
43eca907dc090337dc3a6a2afbf80641224a82d40488a15827f7c524b02971e2

SHA512
b9babaed40fb1431bf3560d20af4eac51926c3a4879b02245229cdeee9c282bb21f3856e25c13210846018b394611fef05c02a36dfbc9700e2139b69578b30f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
431c8c160e7f973dfd70eb3b34bf5299

SHA1
5f231049ceadeeb9398a8bf0eb379b6d644b5446

SHA256
e61894b2833c254a605dc3ea5b1856d09299c683d0bd727ed8a3c182e170db6e

SHA512
20a37ec4eb23f068c618c46854d6ce1d676fc8cf2bdfbc62dab2c405d87eaa861932d6ec76998ea651bda73c69299194b947f9c706225270e9aeec0588ded3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
552765b9c04806df73df585527201485

SHA1
5d69dc56590f015727e11be49afb6dbda9583623

SHA256
dc639763a84b2ba9ddc0e3ea011f474d978df3f6b14464bac00fbc37bf91ab71

SHA512
4fd9076c627d4bd9d205f1b892bef1e6279438442dcb881e65f1dd630b07ac98aa2f06263e1b24c70a1a08bf1c9a9f720b16610cb3e49cd33d27d7de0a6942be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f6400c8e-e9c3-4c1f-b99d-ce9bce2820d2.tmp

Filesize
10KB

MD5
33c4ba336dcc086f1d616cc348343294

SHA1
c6c18fffca8c3328cb4f1e6d7594695816dfd8e9

SHA256
befeb5a33aa0b46d13cbf7c673140674f97b68818cf19dd8cae74466feafc52d

SHA512
22a8aad2b507e1829a9de09642cf6cb4d7bc38296f5b3d899c216a87af97c53ad0f553babb68e8d91c8eb1f7e956c7a340bdc32239b5f7df97ed68e42c52eb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xvfs4f2\3xvfs4f2.dll

Filesize
9KB

MD5
4d304238daea26e7a70f86a58f25e9f9

SHA1
87503c85da53011745c559fc02d151a13b4378d0

SHA256
cdaf2aab66291e11fb2286aac130398b4f579dfe03fa4afbb98ba9214dc7ac17

SHA512
336fe612b717898d4ca30518b039e8cc98bf4e85cfd62ce2d95733b8a5c25c88ca7a9c053c9a9482092a75266f452af91139e77681c839f214d714ce13d8c645

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW5ADD.xml

Filesize
802B

MD5
143d3e78ba4f9b535dc4c96d1cfa0405

SHA1
1d51cd44f01bc467d542ee6369fd1bb5701c24af

SHA256
b618cd18af0ca91930b0649ab4c5ebf0350c87b618237e7c9e2dd3cc19e00351

SHA512
dfa1ce060f8c955ffe802c260ccb650ae51bd956c1257b7c9e755772c607c9499dd7970d693fd869170856d2dd0b493a1c021d6dbf8f4a1f06c9f11a0adebd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E57.tmp

Filesize
1KB

MD5
34364c0cb5002eff7921c084a86cd04c

SHA1
004923451f90eb76dce761f379c2d21dce91ee05

SHA256
9e3cca655777f9ca57002e9be8526a6f275181959d96837360ac2bf5ed1df2d8

SHA512
6eee18939f275c368370ab155720de549a76ef720f894ebddee856ff597deb71ffe23aa84af1eac2977fbac70afa871e6d4e0a1162f46d559b08333584a53c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F9F.tmp

Filesize
1KB

MD5
02630eee44e0f1d85c0de1ea5123b1f0

SHA1
4a861626d8aa5c7559fe073d87675f6b8e1d5f60

SHA256
faedc2d3e26905ea754e255b47aeeef8399f7490d384371fb9b0752aac5375ae

SHA512
afd5cda8d4637e33e59488d01c0f304c960a8895def7bdca87959fdf481d4baee2504572ff55176e47de683c8f0e03e65866ba1bf37bd1008594be005fe8f429

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6472.tmp

Filesize
1KB

MD5
e1853fba7bb7409a38fa4e966bccb527

SHA1
5fcfb5e05f1593ddb7897695bf9b492e827636e8

SHA256
5a478da848d9c8e096e71a14b3d7fd1cdefa8208839ae8499d9952eba6c38edb

SHA512
cbea20f50a9eefcc57870f9858a818d6f3d3def66b09c383828ff8a53404b206328946f11e61f7cbceaeb9b14e4ccc66e82aa5e394ff6f254d06c671caed85e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4u5hmnn3.rcj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvhzo21t\dvhzo21t.dll

Filesize
3KB

MD5
7c4aca1a822349342f68c8a8e94325b3

SHA1
fdc4d7225b9a87013ef84291914d75abba944b6b

SHA256
0cde7b02e4e7767f54d04e844bdf638c05ab22129fd73465a112942d5da3276b

SHA512
0785dc01af5655322772ca1d2a08c9f7838ae1c34f8c24f71eed3f9cd02d9577dfe353895b7910132489b3275313f32cdb0276fb62ec3793e9588abe14d6c4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlz1m3y1\nlz1m3y1.dll

Filesize
5KB

MD5
8d5f933b54766d8c75956859e47daa46

SHA1
292b4499e3ba078b6ddbbbfbb9325cbaa2f89480

SHA256
1e741c293a14f392be9b96d16301b1b0f4674f5ffb3f31907a3dc7d8dea9e47b

SHA512
d6017cfa341413212bd4ca563718ef8a587cc582751b7f95043655f3b19fbf6733df775cc1f4c0def0e92b26bbc93fbfcfd899fb629ccd2cb99eab8ab73af77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\Downloads\SynapseX-cracked-main.zip

Filesize
2.0MB

MD5
2e90d7830b5d9fb47837dd8420f7d070

SHA1
b835237ca65d0141c4595d3235e33aa7a5d0f2de

SHA256
7d1f27b4190525ca571328ad21c0adf62a07aafe3664bd9bc42b93fdbb212807

SHA512
3ae9dd2de3fe06d28acd4c2fbe8622694a9c3b46a8675eaeeb664733b78b610db5cd471f1e86a8168c351d7912f28ebb68d295ec35d708014b8164c12404cbc9

Download Submit
C:\Windows\TEMP\SDIAG_e7b07aab-ee5f-4e87-b4dc-1733fc921136\RS_ProgramCompatibilityWizard.ps1

Filesize
49KB

MD5
edf1259cd24332f49b86454ba6f01eab

SHA1
7f5aa05727b89955b692014c2000ed516f65d81e

SHA256
ab41c00808adad9cb3d76405a9e0aee99fb6e654a8bf38df5abd0d161716dc27

SHA512
a6762849fedd98f274ca32eb14ec918fdbe278a332fda170ed6d63d4c86161f2208612eb180105f238893a2d2b107228a3e7b12e75e55fde96609c69c896eba0

Download Submit
C:\Windows\TEMP\SDIAG_e7b07aab-ee5f-4e87-b4dc-1733fc921136\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_e7b07aab-ee5f-4e87-b4dc-1733fc921136\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_e7b07aab-ee5f-4e87-b4dc-1733fc921136\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_e7b07aab-ee5f-4e87-b4dc-1733fc921136\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xvfs4f2\3xvfs4f2.0.cs

Filesize
11KB

MD5
acf1a7b8aab4c6efda423d4842a10a85

SHA1
ac55b84b81527ad1224a85640c5a2555b19b685d

SHA256
af0a7036a5f650570990f2d562a7c7636b6eaa54f53b6ce3f43aaa070188dafa

SHA512
22e5a8b633a0189e836adb0c34c84b5029e8069e2f0a77803da91ce2b0da14b8fa231ddd1f1b164992d534b8a4ccc51c270e8ff2ff3f2f34536432b4abfc04e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xvfs4f2\3xvfs4f2.cmdline

Filesize
356B

MD5
474ee95b12b966f7eb279e23c4d02bf6

SHA1
f8177967d65219bba97f6b5dc8431840a377e808

SHA256
54e0f2d9410164eb03823ade91481dc536d7b0400f13b9837357f4740c2aeda4

SHA512
f87241a8a6ac6f80982785ad554e412fc936e6b6fee73516cfb5eb29a57a1d87f9e784576833b55ac7a9b6e21a5d936ea024a15834124d2a28e810dab56480bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xvfs4f2\CSC72C419A6E48D492C851F6F50C973726.TMP

Filesize
652B

MD5
2f93cecc97bedcea9d11ae18fb5b832f

SHA1
675345ecf7a0657aff317ae58827c8782e0d8135

SHA256
e130619f5d24c062402930f6afcdfa39e23a808e6cf9685048244505cbe723cf

SHA512
605fe1d026479d7d4e822b083239e578b6350f5ee031c563b79334d0c1d967e63c717cf5ff9d5760c6f3ae8393a3669f9166e34d4087bd27c09458951ef0bb20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvhzo21t\CSC5AB965287EF347A8B0489D212058F49D.TMP

Filesize
652B

MD5
9c0a26b0e7d9ec03267a61f6c746383e

SHA1
dae1d6f59f983dc6007adf718197bd10e36aba67

SHA256
8d1c2774b519a4d4db753411dc7c27c8c3e0fb7747903afcd0e5d7e2380b3807

SHA512
836cd8e25d366d4b83bcadaf7b5c0b5d939b43696e2b83d101159f211c2adc513ec19adfd12c139876003761f87667e9e6010f61ceeac4aaca825dc5c197c182

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvhzo21t\dvhzo21t.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvhzo21t\dvhzo21t.cmdline

Filesize
356B

MD5
1312ff32814b065b7f87fb3fc5aece7e

SHA1
7f1559e50e9303d29fcf6f0a5f4d9599cf29f0a0

SHA256
463278ad513c9d4d43bd6826372e1f5a1830f93583f9f30a388ac68ae7484829

SHA512
25310d5c5c59592b8a55d7d009d8397d7892c970d4b704a168c468843987b09316202378aede8e233b0c483089532a6bf089cb3312774e921c33520b026c238b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nlz1m3y1\CSC71126B73B89448648E906D34A1DACE58.TMP

Filesize
652B

MD5
02b822008a8350ca243d55ae04a52c23

SHA1
bc6a783d1514cbf6db0c72c546eec142bb4312e7

SHA256
c37e8686bb16b86fd4c4d5898641e063e9cbf0e95861c3dff3858ca9fe70b793

SHA512
20032ae08b2cd90579073eafcd74a7d139c0e5f93a65ec49b1742c1db445b52c0e0ee4d0e8eda9a2bebcc838c1470a568e62cfc8eff691c31d54a2bcd836faba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nlz1m3y1\nlz1m3y1.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nlz1m3y1\nlz1m3y1.cmdline

Filesize
356B

MD5
ba651e6a32fc10a39c0d040a6a6d2dec

SHA1
a83aabfce70467106ba121364a45caae9554216f

SHA256
65ae8e988a832e1e73a21ec320d3e7624fa644a53910a1801146381f721e77d6

SHA512
caad2785c3bd1b8d04cb6ffa02bd9ea5844750eddb4fc23e54e513f36a7b8ff86b96fd42e5e27fb2f5bfff770cb90b6f06f39ccc193365d7a9773a77b3bacc0a

Download Submit
\??\pipe\LOCAL\crashpad_4904_ONQBELGPMXTKOLWD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2128-103-0x000000001BE10000-0x000000001BE36000-memory.dmp

Filesize
152KB

Download
memory/2128-97-0x0000000000140000-0x000000000034A000-memory.dmp

Filesize
2.0MB

Download
memory/2128-99-0x000000001B410000-0x000000001B42A000-memory.dmp

Filesize
104KB

Download
memory/2128-98-0x00000000023E0000-0x00000000023EA000-memory.dmp

Filesize
40KB

Download
memory/2128-112-0x000000001C880000-0x000000001C8BC000-memory.dmp

Filesize
240KB

Download
memory/2128-111-0x000000001C820000-0x000000001C832000-memory.dmp

Filesize
72KB

Download
memory/2128-102-0x000000001C580000-0x000000001C5F6000-memory.dmp

Filesize
472KB

Download
memory/2128-104-0x000000001BE40000-0x000000001BED0000-memory.dmp

Filesize
576KB

Download
memory/5236-287-0x000001D64B830000-0x000001D64B838000-memory.dmp

Filesize
32KB

Download
memory/5236-272-0x000001D64B820000-0x000001D64B828000-memory.dmp

Filesize
32KB

Download
memory/5236-304-0x000001D664110000-0x000001D664118000-memory.dmp

Filesize
32KB

Download
memory/5236-256-0x000001D663E90000-0x000001D663EB2000-memory.dmp

Filesize
136KB

Download
memory/5416-398-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-388-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-389-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-390-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-394-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-400-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-399-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-397-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-396-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-395-0x0000018832290000-0x0000018832291000-memory.dmp

Filesize
4KB

Download
memory/5416-270-0x0000022B0E400000-0x0000022B0EEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5508-285-0x0000012E02380000-0x0000012E02E41000-memory.dmp

Filesize
10.8MB

Download
memory/5632-302-0x000002B064BE0000-0x000002B0656A1000-memory.dmp

Filesize
10.8MB

Download