Analysis Overview
SHA256
5c7b72a305729f16c303c0c1f7e05f34b93e3c6ce7d7d0776c669d0b1ae4a601
Threat Level: Likely malicious
The file Downloads.rar was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Checks BIOS information in registry
Loads dropped DLL
Themida packer
.NET Reactor proctector
Checks whether UAC is enabled
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Detects Pyinstaller
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-21 00:42
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 00:41
Reported
2024-09-21 00:48
Platform
win7-20240903-en
Max time kernel
144s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2376 wrote to memory of 2336 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2376 wrote to memory of 2336 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2376 wrote to memory of 2336 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2336 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2336 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2336 wrote to memory of 2816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2816 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2816 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2816 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Downloads.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Downloads.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"
Network
Files
memory/2772-25-0x000007FEFB0D0000-0x000007FEFB104000-memory.dmp
memory/2772-24-0x000000013FC00000-0x000000013FCF8000-memory.dmp
memory/2772-27-0x000007FEFB0B0000-0x000007FEFB0C8000-memory.dmp
memory/2772-28-0x000007FEFB090000-0x000007FEFB0A7000-memory.dmp
memory/2772-33-0x000007FEF7840000-0x000007FEF7851000-memory.dmp
memory/2772-32-0x000007FEF7AE0000-0x000007FEF7AFD000-memory.dmp
memory/2772-31-0x000007FEFA9B0000-0x000007FEFA9C1000-memory.dmp
memory/2772-30-0x000007FEFB050000-0x000007FEFB067000-memory.dmp
memory/2772-29-0x000007FEFB070000-0x000007FEFB081000-memory.dmp
memory/2772-26-0x000007FEF6030000-0x000007FEF62E6000-memory.dmp
memory/2772-51-0x000007FEF4A70000-0x000007FEF4A94000-memory.dmp
memory/2772-57-0x000007FEF3D80000-0x000007FEF3D91000-memory.dmp
memory/2772-56-0x000007FEF3DA0000-0x000007FEF3DB1000-memory.dmp
memory/2772-55-0x000007FEF49E0000-0x000007FEF49F2000-memory.dmp
memory/2772-54-0x000007FEF4A00000-0x000007FEF4A11000-memory.dmp
memory/2772-53-0x000007FEF4A20000-0x000007FEF4A43000-memory.dmp
memory/2772-52-0x000007FEF4A50000-0x000007FEF4A68000-memory.dmp
memory/2772-50-0x000007FEF4AA0000-0x000007FEF4AC8000-memory.dmp
memory/2772-49-0x000007FEF4AD0000-0x000007FEF4B27000-memory.dmp
memory/2772-48-0x000007FEF4B30000-0x000007FEF4B41000-memory.dmp
memory/2772-47-0x000007FEF4B50000-0x000007FEF4BCC000-memory.dmp
memory/2772-46-0x000007FEF4BD0000-0x000007FEF4C37000-memory.dmp
memory/2772-45-0x000007FEF6660000-0x000007FEF6690000-memory.dmp
memory/2772-44-0x000007FEF6690000-0x000007FEF66A8000-memory.dmp
memory/2772-43-0x000007FEF66B0000-0x000007FEF66C1000-memory.dmp
memory/2772-42-0x000007FEF6C70000-0x000007FEF6C8B000-memory.dmp
memory/2772-41-0x000007FEF6C90000-0x000007FEF6CA1000-memory.dmp
memory/2772-40-0x000007FEF6CB0000-0x000007FEF6CC1000-memory.dmp
memory/2772-39-0x000007FEF6CD0000-0x000007FEF6CE1000-memory.dmp
memory/2772-38-0x000007FEF6CF0000-0x000007FEF6D08000-memory.dmp
memory/2772-37-0x000007FEF7810000-0x000007FEF7831000-memory.dmp
memory/2772-34-0x000007FEF4E50000-0x000007FEF5F00000-memory.dmp
memory/2772-36-0x000007FEF6D10000-0x000007FEF6D51000-memory.dmp
memory/2772-35-0x000007FEF4C40000-0x000007FEF4E4B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-21 00:41
Reported
2024-09-21 00:57
Platform
win10v2004-20240802-en
Max time kernel
652s
Max time network
658s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\HxD.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5864 set thread context of 676 | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe |
| PID 5864 set thread context of 676 | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe |
| PID 5864 set thread context of 676 | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe |
| PID 5864 set thread context of 676 | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000075b15b64d7e4da01b2d83cbebf0bdb01b2d83cbebf0bdb0114000000 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\HxD.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\HxD.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\paint.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap25757:76:7zEvent28996
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19982:122:7zEvent8507
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Cracking Tools\" -spe -an -ai#7zMap21143:86:7zEvent11105
C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe
"C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe"
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe
"C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe"
C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C wmic path win32_videocontroller get PNPDeviceID
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_videocontroller get PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cracking Tools\Filegrab\grab'\checker.bat" "
C:\Windows\system32\mode.com
mode con: cols=180 lines=62
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET PNPDeviceID
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get serialnumber
C:\Windows\system32\getmac.exe
getmac
C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"
C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"
C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\Cracking Tools\HxD.exe
"C:\Users\Admin\Desktop\Cracking Tools\HxD.exe"
C:\Users\Admin\Desktop\Cracking Tools\paint.exe
"C:\Users\Admin\Desktop\Cracking Tools\paint.exe"
C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe
"C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe"
C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"
C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"
C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C wmic path win32_videocontroller get PNPDeviceID
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_videocontroller get PNPDeviceID
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 5.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA).rar
| MD5 | 2ede7b95d01c82f878b56464e6d28d44 |
| SHA1 | c480708d795140e64f9edf1ad1adf036a6990c67 |
| SHA256 | 37f5eb023e6835c1b40b4a545e500aad3636d706c45f1fbd06650cccc959a047 |
| SHA512 | c93bf6959151abf68b07e8ff6d781e6d10d3535ce4b1ab19ecbffb15644f494626b42c12cf3c900f4295900d9910ee63e477012fcabee37abc88773938f46454 |
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\New folder (3)\VtOmJCVVlbZnXpSoEH
| MD5 | 1898ceda3247213c084f43637ef163b3 |
| SHA1 | d04e5db5b6c848a29732bfd52029001f23c3da75 |
| SHA256 | 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b |
| SHA512 | 84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377 |
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma
| MD5 | 6f64ca90f4dde19acccc01c1a5f75978 |
| SHA1 | f7d358f39d48f34000c78b43063678fa9a7128af |
| SHA256 | 1da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b |
| SHA512 | cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878 |
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\nmew\f_00004b
| MD5 | 3ad1246ad83b3da15cb79566f692e912 |
| SHA1 | 731b4fe9a0cad4259de8287bb03055abeb3028f7 |
| SHA256 | da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893 |
| SHA512 | a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88 |
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif
| MD5 | 325472601571f31e1bf00674c368d335 |
| SHA1 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a |
| SHA256 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b |
| SHA512 | 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc |
C:\Users\Admin\Desktop\Cracking Tools\UD\x32\UD 32.ini
| MD5 | f26abe99220e90c62ee5248d1e7bbe50 |
| SHA1 | bf2b81e132d97e05c72acacf35a268d2e97a1fa4 |
| SHA256 | 959f3e8a3d880f5c63d30b659c79abb8c909074951c02eed773864173a42d2e1 |
| SHA512 | b9b6331e8166ac92a3b3b376553688d126aff5b673e7d0f1e98ec8156c27dfbe83488c7697265e64bf8dfae1ce8a961476a9e717a6f4954840fd35d76025452b |
C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe
| MD5 | 3c83b6e9727222fbd45abe3f3e3b7b01 |
| SHA1 | 5a6c758528b3fd54bf022dac63aa6d893ec04c80 |
| SHA256 | 8449de3a9db084ea8734d03de099ee0755a739928809204a71d79fa3134582dd |
| SHA512 | 435dbd5ca55cf8ec4d02f51a03c7f61fe7284129ec83b2204112e99260500cb50e9d6ebd102e6a96a68ba7b3038bee5d6d9192f5e2b81d04223d13b94914943e |
C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.runtimeconfig.json
| MD5 | 07b9a30265ca4e69c7016a1b6e3ffc27 |
| SHA1 | 3a4af82a2695b1423aedd8b60a5c86793c011b02 |
| SHA256 | c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782 |
| SHA512 | efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c |
C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.deps.json
| MD5 | a3f5e797abefc2c37ccb50b50b098220 |
| SHA1 | c3dcad4ed727c731c38a019a746266ce796a3ba5 |
| SHA256 | be77125873ae0138ea9f951133b3c102bf42d2033051d3e617fe52daa34e72af |
| SHA512 | 094ee8da2880cd9b16d70788979ca11a641d51d445f6845bd1cde9c5e4326eb56ee3823531de218341f991603ec709e6534fda454962d1ed16fe1b90abdfb3de |
C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.dll
| MD5 | e090d626d93eeb82dc583c8f5dab883b |
| SHA1 | 850800ebe7e88d3a2321a9383187c43ec22c5b9b |
| SHA256 | 716d9a65b788fe4c52c161b112cec9afe82805ecf35f41ef3033fe65f2fa4e4c |
| SHA512 | f568d26a58166c11b0efaa0d4782101726717a947c45bfd5db8e42222efbe23f6973d1f23e0a46c5794bb252063c1240bf936518649b9f9e948a7380a4ca0c32 |
C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
| MD5 | 5cb4544c33d057999f2752e6834f5471 |
| SHA1 | 97cc09ecb78ca17ff4a48430927b49d5c26facb1 |
| SHA256 | f7fbaefb0fd9c3395a00f8b48ab3d11ba0e8b8f18e598e19e5926ab8b63e389b |
| SHA512 | 37004655d28f2667505d40e977ad7e8cf4031c7a55cebdd3fb192b475a27b0e33ac5e4c74b5401c1e7db7a5b33c5fab78f9fb4d2bc5a74ee9ab12d82771c8371 |
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe
| MD5 | 27f87ebebb071afec1891e00fd0700a4 |
| SHA1 | fbfc0a10ecf83da88df02356568bcac2399b3b9d |
| SHA256 | 11b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9 |
| SHA512 | 5386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d |
memory/3204-1862-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1874-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1885-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1925-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1924-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1923-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1922-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1921-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1920-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1919-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1917-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1916-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1915-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1914-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1913-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1912-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1911-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1910-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1908-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1909-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1907-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1906-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1905-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1904-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1903-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1902-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1901-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1900-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1899-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1897-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1896-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1895-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1894-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1890-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1889-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1887-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1886-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1884-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1883-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1882-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1881-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1880-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1879-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1878-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1877-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1876-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1875-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1873-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1872-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1918-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1871-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1870-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1869-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1868-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1867-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1898-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1866-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1893-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1892-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1891-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1888-0x00000211D9180000-0x00000211D9200000-memory.dmp
memory/3204-1865-0x00000211D9180000-0x00000211D9200000-memory.dmp
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\grab'\checker.bat
| MD5 | 052ab8e86aaa92aea118f486d7759e8f |
| SHA1 | e8d0c99f83bb2c05f42a934eba63c01b854261ee |
| SHA256 | 863d0c5c2334f9ac2c016da5bab81baeae7e122c566d9180e465e31cc3558a0f |
| SHA512 | 214793b391dd587ca143d3d7bb9cc722dfbce181ea51d305815584921c16b088cf5d787d89ec25d699c17f99cef32decc3b748d7602ff676219e18e717a84fa9 |
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\grab'
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
| MD5 | 69e2318d24da523c4d6623385a81f201 |
| SHA1 | 62f8fbf59fabad8052dc215fc6f7527d7fd4e33f |
| SHA256 | 33c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955 |
| SHA512 | ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\ucrtbase.dll
| MD5 | 6169dac91a2ab01314395d972fc48642 |
| SHA1 | a8d9df6020668e57b97c01c8fd155a65218018af |
| SHA256 | 293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e |
| SHA512 | 5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\python311.dll
| MD5 | 5a5dd7cad8028097842b0afef45bfbcf |
| SHA1 | e247a2e460687c607253949c52ae2801ff35dc4a |
| SHA256 | a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce |
| SHA512 | e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\base_library.zip
| MD5 | 5327287d65cc9ab041ce96e93d3a6d53 |
| SHA1 | a57aa09afecf580c301f1a7702dbbb07327cf8a9 |
| SHA256 | 73cdfcec488b39e14993fb32a233de4bc841a394092fcac1deb6ee41e24720ea |
| SHA512 | 68fc996b4809a762b8d44323a5d023ba8a39580039c748bc310da9878c94fe1685709ab959365ecb26a5ee1a82e65f2eb19344f1f03d4dff48eb87a403a57c20 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_lzma.pyd
| MD5 | e5abc3a72996f8fde0bcf709e6577d9d |
| SHA1 | 15770bdcd06e171f0b868c803b8cf33a8581edd3 |
| SHA256 | 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb |
| SHA512 | b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\pyexpat.pyd
| MD5 | 9c21a5540fc572f75901820cf97245ec |
| SHA1 | 09296f032a50de7b398018f28ee8086da915aebd |
| SHA256 | 2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045 |
| SHA512 | 4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_bz2.pyd
| MD5 | 3859239ced9a45399b967ebce5a6ba23 |
| SHA1 | 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6 |
| SHA256 | a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a |
| SHA512 | 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_ctypes.pyd
| MD5 | bd36f7d64660d120c6fb98c8f536d369 |
| SHA1 | 6829c9ce6091cb2b085eb3d5469337ac4782f927 |
| SHA256 | ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902 |
| SHA512 | bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\python3.dll
| MD5 | b711598fc3ed0fe4cf2c7f3e0877979e |
| SHA1 | 299c799e5d697834aa2447d8a313588ab5c5e433 |
| SHA256 | 520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a |
| SHA512 | b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_queue.pyd
| MD5 | f00133f7758627a15f2d98c034cf1657 |
| SHA1 | 2f5f54eda4634052f5be24c560154af6647eee05 |
| SHA256 | 35609869edc57d806925ec52cca9bc5a035e30d5f40549647d4da6d7983f8659 |
| SHA512 | 1c77dd811d2184beedf3c553c3f4da2144b75c6518543f98c630c59cd597fcbf6fd22cfbb0a7b9ea2fdb7983ff69d0d99e8201f4e84a0629bc5733aa09ffc201 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\select.pyd
| MD5 | c97a587e19227d03a85e90a04d7937f6 |
| SHA1 | 463703cf1cac4e2297b442654fc6169b70cfb9bf |
| SHA256 | c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf |
| SHA512 | 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_socket.pyd
| MD5 | 1eea9568d6fdef29b9963783827f5867 |
| SHA1 | a17760365094966220661ad87e57efe09cd85b84 |
| SHA256 | 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117 |
| SHA512 | d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_ssl.pyd
| MD5 | 208b0108172e59542260934a2e7cfa85 |
| SHA1 | 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a |
| SHA256 | 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69 |
| SHA512 | 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\libcrypto-1_1.dll
| MD5 | e94733523bcd9a1fb6ac47e10a267287 |
| SHA1 | 94033b405386d04c75ffe6a424b9814b75c608ac |
| SHA256 | f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44 |
| SHA512 | 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\libssl-1_1.dll
| MD5 | 25bde25d332383d1228b2e66a4cb9f3e |
| SHA1 | cd5b9c3dd6aab470d445e3956708a324e93a9160 |
| SHA256 | c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13 |
| SHA512 | ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_overlapped.pyd
| MD5 | e5aceaf21e82253e300c0b78793887a8 |
| SHA1 | c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde |
| SHA256 | d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a |
| SHA512 | 517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\_asyncio.pyd
| MD5 | 79f71c92c850b2d0f5e39128a59054f1 |
| SHA1 | a773e62fa5df1373f08feaa1fb8fa1b6d5246252 |
| SHA256 | 0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980 |
| SHA512 | 3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\unicodedata.pyd
| MD5 | aa13ee6770452af73828b55af5cd1a32 |
| SHA1 | c01ece61c7623e36a834d8b3c660e7f28c91177e |
| SHA256 | 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb |
| SHA512 | b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\capstone\lib\capstone.dll
| MD5 | 1c0a3d7dec9513cd4c742a7038c73445 |
| SHA1 | 8a7dcf7371b8c6711b6f49d85cec25196a885c03 |
| SHA256 | f59984896a7f3f35b5f169e3d0cc6f4429a363b0f2bf779fff8ef4ccdcc6b26a |
| SHA512 | 35182912d37265170b2ab3b2c417e26e49211eb5006b7fe8eae90f3c1c806db2477c5652065173e35f5ba7be4155a89286a6831ddbffccd82d526839bb54a596 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\lief\_lief.cp311-win_amd64.pyd
| MD5 | 4b71e3409eab0ff2c597b708aadc5d3d |
| SHA1 | cd2a29382255a86dd2f402f7df9dfe84515f2e07 |
| SHA256 | b6cea0f27e56df286ce2c975e3ee95af5d8fefd440d191d53a0aa0d0c9850d4d |
| SHA512 | 45c3fa067748ca303c8ed9dc7a67a692065457c3b2a54d8a333b435017589f8232ac9b97f9fcf6e0aeee34efedfaba5a71f60bb19a2acd0b0f9410d3df3fe298 |
C:\Users\Admin\AppData\Local\Temp\_MEI29522\pyscylla.cp311-win_amd64.pyd
| MD5 | bb134078c74d840020ed06c9d78473ad |
| SHA1 | ea77a6990327bacd1d90c25178c9e9eee6f13f6b |
| SHA256 | 70512f3a603eecff58005b7fe81490e62bf2e5054fee41384185f08f08b12ab1 |
| SHA512 | 4da284ca0f9327fef6c4a4be499bbef00cae7865a3072db38071d63431a849ca281bd44ad80bd30676361081dd1f3c0d91ae5c53d6f5a450e570a48a3a447c56 |
memory/368-3749-0x00007FF74A8E0000-0x00007FF74B433000-memory.dmp
memory/368-3759-0x00007FF74A8E0000-0x00007FF74B433000-memory.dmp