Malware Analysis Report

2024-11-30 19:35

Sample ID 240921-a1svbaxbpk
Target Downloads.rar
SHA256 5c7b72a305729f16c303c0c1f7e05f34b93e3c6ce7d7d0776c669d0b1ae4a601
Tags
agilenet themida pyinstaller discovery evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5c7b72a305729f16c303c0c1f7e05f34b93e3c6ce7d7d0776c669d0b1ae4a601

Threat Level: Likely malicious

The file Downloads.rar was found to be: Likely malicious.

Malicious Activity Summary

agilenet themida pyinstaller discovery evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Checks BIOS information in registry

Loads dropped DLL

Themida packer

.NET Reactor proctector

Checks whether UAC is enabled

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Detects Pyinstaller

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 00:42

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 00:41

Reported

2024-09-21 00:48

Platform

win7-20240903-en

Max time kernel

144s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Downloads.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Downloads.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"

Network

N/A

Files

memory/2772-25-0x000007FEFB0D0000-0x000007FEFB104000-memory.dmp

memory/2772-24-0x000000013FC00000-0x000000013FCF8000-memory.dmp

memory/2772-27-0x000007FEFB0B0000-0x000007FEFB0C8000-memory.dmp

memory/2772-28-0x000007FEFB090000-0x000007FEFB0A7000-memory.dmp

memory/2772-33-0x000007FEF7840000-0x000007FEF7851000-memory.dmp

memory/2772-32-0x000007FEF7AE0000-0x000007FEF7AFD000-memory.dmp

memory/2772-31-0x000007FEFA9B0000-0x000007FEFA9C1000-memory.dmp

memory/2772-30-0x000007FEFB050000-0x000007FEFB067000-memory.dmp

memory/2772-29-0x000007FEFB070000-0x000007FEFB081000-memory.dmp

memory/2772-26-0x000007FEF6030000-0x000007FEF62E6000-memory.dmp

memory/2772-51-0x000007FEF4A70000-0x000007FEF4A94000-memory.dmp

memory/2772-57-0x000007FEF3D80000-0x000007FEF3D91000-memory.dmp

memory/2772-56-0x000007FEF3DA0000-0x000007FEF3DB1000-memory.dmp

memory/2772-55-0x000007FEF49E0000-0x000007FEF49F2000-memory.dmp

memory/2772-54-0x000007FEF4A00000-0x000007FEF4A11000-memory.dmp

memory/2772-53-0x000007FEF4A20000-0x000007FEF4A43000-memory.dmp

memory/2772-52-0x000007FEF4A50000-0x000007FEF4A68000-memory.dmp

memory/2772-50-0x000007FEF4AA0000-0x000007FEF4AC8000-memory.dmp

memory/2772-49-0x000007FEF4AD0000-0x000007FEF4B27000-memory.dmp

memory/2772-48-0x000007FEF4B30000-0x000007FEF4B41000-memory.dmp

memory/2772-47-0x000007FEF4B50000-0x000007FEF4BCC000-memory.dmp

memory/2772-46-0x000007FEF4BD0000-0x000007FEF4C37000-memory.dmp

memory/2772-45-0x000007FEF6660000-0x000007FEF6690000-memory.dmp

memory/2772-44-0x000007FEF6690000-0x000007FEF66A8000-memory.dmp

memory/2772-43-0x000007FEF66B0000-0x000007FEF66C1000-memory.dmp

memory/2772-42-0x000007FEF6C70000-0x000007FEF6C8B000-memory.dmp

memory/2772-41-0x000007FEF6C90000-0x000007FEF6CA1000-memory.dmp

memory/2772-40-0x000007FEF6CB0000-0x000007FEF6CC1000-memory.dmp

memory/2772-39-0x000007FEF6CD0000-0x000007FEF6CE1000-memory.dmp

memory/2772-38-0x000007FEF6CF0000-0x000007FEF6D08000-memory.dmp

memory/2772-37-0x000007FEF7810000-0x000007FEF7831000-memory.dmp

memory/2772-34-0x000007FEF4E50000-0x000007FEF5F00000-memory.dmp

memory/2772-36-0x000007FEF6D10000-0x000007FEF6D51000-memory.dmp

memory/2772-35-0x000007FEF4C40000-0x000007FEF4E4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 00:41

Reported

2024-09-21 00:57

Platform

win10v2004-20240802-en

Max time kernel

652s

Max time network

658s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000075b15b64d7e4da01b2d83cbebf0bdb01b2d83cbebf0bdb0114000000 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\paint.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe N/A
N/A N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\HxD.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\HxD.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\HxD.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\HxD.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\HxD.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\HxD.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 3204 wrote to memory of 3704 N/A C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 3704 wrote to memory of 6108 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3704 wrote to memory of 6108 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5812 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 5812 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 6076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 6076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5812 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\getmac.exe
PID 5812 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\getmac.exe
PID 2952 wrote to memory of 3708 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
PID 2952 wrote to memory of 3708 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
PID 3708 wrote to memory of 636 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Windows\system32\cmd.exe
PID 3708 wrote to memory of 636 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Windows\system32\cmd.exe
PID 1616 wrote to memory of 3976 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
PID 1616 wrote to memory of 3976 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe
PID 3976 wrote to memory of 2672 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Windows\system32\cmd.exe
PID 3976 wrote to memory of 2672 N/A C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe C:\Windows\system32\cmd.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe
PID 5864 wrote to memory of 676 N/A C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Downloads.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap25757:76:7zEvent28996

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19982:122:7zEvent8507

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Cracking Tools\" -spe -an -ai#7zMap21143:86:7zEvent11105

C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe

"C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe"

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe

"C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe"

C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe

"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C wmic path win32_videocontroller get PNPDeviceID

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_videocontroller get PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cracking Tools\Filegrab\grab'\checker.bat" "

C:\Windows\system32\mode.com

mode con: cols=180 lines=62

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET PNPDeviceID

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic CPU get serialnumber

C:\Windows\system32\getmac.exe

getmac

C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe

"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"

C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe

"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe

"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"

C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe

"C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\Cracking Tools\HxD.exe

"C:\Users\Admin\Desktop\Cracking Tools\HxD.exe"

C:\Users\Admin\Desktop\Cracking Tools\paint.exe

"C:\Users\Admin\Desktop\Cracking Tools\paint.exe"

C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe

"C:\Users\Admin\Desktop\Cracking Tools\UD\x64\435g3.exe"

C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe

"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"

C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe

"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"

C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe

"C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C wmic path win32_videocontroller get PNPDeviceID

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_videocontroller get PNPDeviceID

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 5.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA).rar

MD5 2ede7b95d01c82f878b56464e6d28d44
SHA1 c480708d795140e64f9edf1ad1adf036a6990c67
SHA256 37f5eb023e6835c1b40b4a545e500aad3636d706c45f1fbd06650cccc959a047
SHA512 c93bf6959151abf68b07e8ff6d781e6d10d3535ce4b1ab19ecbffb15644f494626b42c12cf3c900f4295900d9910ee63e477012fcabee37abc88773938f46454

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\New folder (3)\VtOmJCVVlbZnXpSoEH

MD5 1898ceda3247213c084f43637ef163b3
SHA1 d04e5db5b6c848a29732bfd52029001f23c3da75
SHA256 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
SHA512 84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma

MD5 6f64ca90f4dde19acccc01c1a5f75978
SHA1 f7d358f39d48f34000c78b43063678fa9a7128af
SHA256 1da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b
SHA512 cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\nmew\f_00004b

MD5 3ad1246ad83b3da15cb79566f692e912
SHA1 731b4fe9a0cad4259de8287bb03055abeb3028f7
SHA256 da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893
SHA512 a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif

MD5 325472601571f31e1bf00674c368d335
SHA1 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256 b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

C:\Users\Admin\Desktop\Cracking Tools\UD\x32\UD 32.ini

MD5 f26abe99220e90c62ee5248d1e7bbe50
SHA1 bf2b81e132d97e05c72acacf35a268d2e97a1fa4
SHA256 959f3e8a3d880f5c63d30b659c79abb8c909074951c02eed773864173a42d2e1
SHA512 b9b6331e8166ac92a3b3b376553688d126aff5b673e7d0f1e98ec8156c27dfbe83488c7697265e64bf8dfae1ce8a961476a9e717a6f4954840fd35d76025452b

C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.exe

MD5 3c83b6e9727222fbd45abe3f3e3b7b01
SHA1 5a6c758528b3fd54bf022dac63aa6d893ec04c80
SHA256 8449de3a9db084ea8734d03de099ee0755a739928809204a71d79fa3134582dd
SHA512 435dbd5ca55cf8ec4d02f51a03c7f61fe7284129ec83b2204112e99260500cb50e9d6ebd102e6a96a68ba7b3038bee5d6d9192f5e2b81d04223d13b94914943e

C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.runtimeconfig.json

MD5 07b9a30265ca4e69c7016a1b6e3ffc27
SHA1 3a4af82a2695b1423aedd8b60a5c86793c011b02
SHA256 c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782
SHA512 efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.deps.json

MD5 a3f5e797abefc2c37ccb50b50b098220
SHA1 c3dcad4ed727c731c38a019a746266ce796a3ba5
SHA256 be77125873ae0138ea9f951133b3c102bf42d2033051d3e617fe52daa34e72af
SHA512 094ee8da2880cd9b16d70788979ca11a641d51d445f6845bd1cde9c5e4326eb56ee3823531de218341f991603ec709e6534fda454962d1ed16fe1b90abdfb3de

C:\Users\Admin\Desktop\exe stripper by formal v1 (BETA)\exe stripper.dll

MD5 e090d626d93eeb82dc583c8f5dab883b
SHA1 850800ebe7e88d3a2321a9383187c43ec22c5b9b
SHA256 716d9a65b788fe4c52c161b112cec9afe82805ecf35f41ef3033fe65f2fa4e4c
SHA512 f568d26a58166c11b0efaa0d4782101726717a947c45bfd5db8e42222efbe23f6973d1f23e0a46c5794bb252063c1240bf936518649b9f9e948a7380a4ca0c32

C:\Users\Admin\Desktop\Disk Woofer Loader\nebula disk spoofer.exe

MD5 5cb4544c33d057999f2752e6834f5471
SHA1 97cc09ecb78ca17ff4a48430927b49d5c26facb1
SHA256 f7fbaefb0fd9c3395a00f8b48ab3d11ba0e8b8f18e598e19e5926ab8b63e389b
SHA512 37004655d28f2667505d40e977ad7e8cf4031c7a55cebdd3fb192b475a27b0e33ac5e4c74b5401c1e7db7a5b33c5fab78f9fb4d2bc5a74ee9ab12d82771c8371

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe

MD5 27f87ebebb071afec1891e00fd0700a4
SHA1 fbfc0a10ecf83da88df02356568bcac2399b3b9d
SHA256 11b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9
SHA512 5386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d

memory/3204-1862-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1874-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1885-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1925-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1924-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1923-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1922-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1921-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1920-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1919-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1917-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1916-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1915-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1914-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1913-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1912-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1911-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1910-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1908-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1909-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1907-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1906-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1905-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1904-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1903-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1902-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1901-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1900-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1899-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1897-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1896-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1895-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1894-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1890-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1889-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1887-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1886-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1884-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1883-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1882-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1881-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1880-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1879-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1878-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1877-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1876-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1875-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1873-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1872-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1918-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1871-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1870-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1869-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1868-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1867-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1898-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1866-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1893-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1892-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1891-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1888-0x00000211D9180000-0x00000211D9200000-memory.dmp

memory/3204-1865-0x00000211D9180000-0x00000211D9200000-memory.dmp

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\grab'\checker.bat

MD5 052ab8e86aaa92aea118f486d7759e8f
SHA1 e8d0c99f83bb2c05f42a934eba63c01b854261ee
SHA256 863d0c5c2334f9ac2c016da5bab81baeae7e122c566d9180e465e31cc3558a0f
SHA512 214793b391dd587ca143d3d7bb9cc722dfbce181ea51d305815584921c16b088cf5d787d89ec25d699c17f99cef32decc3b748d7602ff676219e18e717a84fa9

C:\Users\Admin\Desktop\Cracking Tools\Filegrab\grab'

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe

MD5 69e2318d24da523c4d6623385a81f201
SHA1 62f8fbf59fabad8052dc215fc6f7527d7fd4e33f
SHA256 33c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955
SHA512 ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632

C:\Users\Admin\AppData\Local\Temp\_MEI29522\ucrtbase.dll

MD5 6169dac91a2ab01314395d972fc48642
SHA1 a8d9df6020668e57b97c01c8fd155a65218018af
SHA256 293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e
SHA512 5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199

C:\Users\Admin\AppData\Local\Temp\_MEI29522\python311.dll

MD5 5a5dd7cad8028097842b0afef45bfbcf
SHA1 e247a2e460687c607253949c52ae2801ff35dc4a
SHA256 a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512 e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

C:\Users\Admin\AppData\Local\Temp\_MEI29522\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI29522\base_library.zip

MD5 5327287d65cc9ab041ce96e93d3a6d53
SHA1 a57aa09afecf580c301f1a7702dbbb07327cf8a9
SHA256 73cdfcec488b39e14993fb32a233de4bc841a394092fcac1deb6ee41e24720ea
SHA512 68fc996b4809a762b8d44323a5d023ba8a39580039c748bc310da9878c94fe1685709ab959365ecb26a5ee1a82e65f2eb19344f1f03d4dff48eb87a403a57c20

C:\Users\Admin\AppData\Local\Temp\_MEI29522\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_lzma.pyd

MD5 e5abc3a72996f8fde0bcf709e6577d9d
SHA1 15770bdcd06e171f0b868c803b8cf33a8581edd3
SHA256 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb
SHA512 b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

C:\Users\Admin\AppData\Local\Temp\_MEI29522\pyexpat.pyd

MD5 9c21a5540fc572f75901820cf97245ec
SHA1 09296f032a50de7b398018f28ee8086da915aebd
SHA256 2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045
SHA512 4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_bz2.pyd

MD5 3859239ced9a45399b967ebce5a6ba23
SHA1 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6
SHA256 a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a
SHA512 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_ctypes.pyd

MD5 bd36f7d64660d120c6fb98c8f536d369
SHA1 6829c9ce6091cb2b085eb3d5469337ac4782f927
SHA256 ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902
SHA512 bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

C:\Users\Admin\AppData\Local\Temp\_MEI29522\python3.dll

MD5 b711598fc3ed0fe4cf2c7f3e0877979e
SHA1 299c799e5d697834aa2447d8a313588ab5c5e433
SHA256 520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a
SHA512 b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_queue.pyd

MD5 f00133f7758627a15f2d98c034cf1657
SHA1 2f5f54eda4634052f5be24c560154af6647eee05
SHA256 35609869edc57d806925ec52cca9bc5a035e30d5f40549647d4da6d7983f8659
SHA512 1c77dd811d2184beedf3c553c3f4da2144b75c6518543f98c630c59cd597fcbf6fd22cfbb0a7b9ea2fdb7983ff69d0d99e8201f4e84a0629bc5733aa09ffc201

C:\Users\Admin\AppData\Local\Temp\_MEI29522\select.pyd

MD5 c97a587e19227d03a85e90a04d7937f6
SHA1 463703cf1cac4e2297b442654fc6169b70cfb9bf
SHA256 c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf
SHA512 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_socket.pyd

MD5 1eea9568d6fdef29b9963783827f5867
SHA1 a17760365094966220661ad87e57efe09cd85b84
SHA256 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117
SHA512 d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_ssl.pyd

MD5 208b0108172e59542260934a2e7cfa85
SHA1 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a
SHA256 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69
SHA512 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

C:\Users\Admin\AppData\Local\Temp\_MEI29522\libcrypto-1_1.dll

MD5 e94733523bcd9a1fb6ac47e10a267287
SHA1 94033b405386d04c75ffe6a424b9814b75c608ac
SHA256 f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44
SHA512 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

C:\Users\Admin\AppData\Local\Temp\_MEI29522\libssl-1_1.dll

MD5 25bde25d332383d1228b2e66a4cb9f3e
SHA1 cd5b9c3dd6aab470d445e3956708a324e93a9160
SHA256 c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13
SHA512 ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_overlapped.pyd

MD5 e5aceaf21e82253e300c0b78793887a8
SHA1 c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde
SHA256 d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a
SHA512 517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f

C:\Users\Admin\AppData\Local\Temp\_MEI29522\_asyncio.pyd

MD5 79f71c92c850b2d0f5e39128a59054f1
SHA1 a773e62fa5df1373f08feaa1fb8fa1b6d5246252
SHA256 0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980
SHA512 3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171

C:\Users\Admin\AppData\Local\Temp\_MEI29522\unicodedata.pyd

MD5 aa13ee6770452af73828b55af5cd1a32
SHA1 c01ece61c7623e36a834d8b3c660e7f28c91177e
SHA256 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb
SHA512 b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f

C:\Users\Admin\AppData\Local\Temp\_MEI29522\capstone\lib\capstone.dll

MD5 1c0a3d7dec9513cd4c742a7038c73445
SHA1 8a7dcf7371b8c6711b6f49d85cec25196a885c03
SHA256 f59984896a7f3f35b5f169e3d0cc6f4429a363b0f2bf779fff8ef4ccdcc6b26a
SHA512 35182912d37265170b2ab3b2c417e26e49211eb5006b7fe8eae90f3c1c806db2477c5652065173e35f5ba7be4155a89286a6831ddbffccd82d526839bb54a596

C:\Users\Admin\AppData\Local\Temp\_MEI29522\lief\_lief.cp311-win_amd64.pyd

MD5 4b71e3409eab0ff2c597b708aadc5d3d
SHA1 cd2a29382255a86dd2f402f7df9dfe84515f2e07
SHA256 b6cea0f27e56df286ce2c975e3ee95af5d8fefd440d191d53a0aa0d0c9850d4d
SHA512 45c3fa067748ca303c8ed9dc7a67a692065457c3b2a54d8a333b435017589f8232ac9b97f9fcf6e0aeee34efedfaba5a71f60bb19a2acd0b0f9410d3df3fe298

C:\Users\Admin\AppData\Local\Temp\_MEI29522\pyscylla.cp311-win_amd64.pyd

MD5 bb134078c74d840020ed06c9d78473ad
SHA1 ea77a6990327bacd1d90c25178c9e9eee6f13f6b
SHA256 70512f3a603eecff58005b7fe81490e62bf2e5054fee41384185f08f08b12ab1
SHA512 4da284ca0f9327fef6c4a4be499bbef00cae7865a3072db38071d63431a849ca281bd44ad80bd30676361081dd1f3c0d91ae5c53d6f5a450e570a48a3a447c56

memory/368-3749-0x00007FF74A8E0000-0x00007FF74B433000-memory.dmp

memory/368-3759-0x00007FF74A8E0000-0x00007FF74B433000-memory.dmp