xmrig | hxxp://www[.]mediafire[.]com/file/qnslvh8d1fd3d2o/Instagram+Hack+Tool[.]zip/file

Analysis

max time kernel
107s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.mediafire.com/file/qnslvh8d1fd3d2o/Instagram+Hack+Tool.zip/file

Score

10^/10

xmrig discovery evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/3888-432-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3888-431-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3888-434-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3888-438-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3888-437-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3888-436-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3888-435-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3928	powershell.exe
3736	powershell.exe
4796	powershell.exe
1616	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
4772	DoxingTool.exe
376	yourfile.exe
4948	wvnncfkskedj.exe
1520	DoxingTool.exe
3320	yourfile.exe
4964	wvnncfkskedj.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	wvnncfkskedj.exe
File opened for modification	C:\Windows\system32\MRT.exe	yourfile.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	wvnncfkskedj.exe
File opened for modification	C:\Windows\system32\MRT.exe	yourfile.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 460	4948	wvnncfkskedj.exe	141
PID 4948 set thread context of 3888	4948	wvnncfkskedj.exe	144

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3888-427-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-428-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-430-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-429-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-432-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-431-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-426-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-434-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-438-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-437-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-436-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3888-435-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3784	sc.exe
2148	sc.exe
5072	sc.exe
772	sc.exe
4856	sc.exe
4876	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
988	msedge.exe
988	msedge.exe
4612	msedge.exe
4612	msedge.exe
2792	msedge.exe
2792	msedge.exe
4780	identity_helper.exe
4780	identity_helper.exe
376	yourfile.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
376	yourfile.exe
376	yourfile.exe
376	yourfile.exe
376	yourfile.exe
376	yourfile.exe
4948	wvnncfkskedj.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
4948	wvnncfkskedj.exe
4948	wvnncfkskedj.exe
4948	wvnncfkskedj.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3888	conhost.exe
3320	yourfile.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	392	7zG.exe
Token: 35	392	7zG.exe
Token: SeSecurityPrivilege	392	7zG.exe
Token: SeSecurityPrivilege	392	7zG.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeLockMemoryPrivilege	3888	conhost.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
392	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4772	DoxingTool.exe
1520	DoxingTool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1008	4612	msedge.exe	82
PID 4612 wrote to memory of 1008	4612	msedge.exe	82
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 2588	4612	msedge.exe	83
PID 4612 wrote to memory of 988	4612	msedge.exe	84
PID 4612 wrote to memory of 988	4612	msedge.exe	84
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85
PID 4612 wrote to memory of 2000	4612	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.mediafire.com/file/qnslvh8d1fd3d2o/Instagram+Hack+Tool.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9c0a46f8,0x7ffd9c0a4708,0x7ffd9c0a4718
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,727189699863684558,12947071877640114982,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:4184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Instagram Hack Tool\" -ad -an -ai#7zMap6886:100:7zEvent32062
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:392

C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.exe
"C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4772
- C:\Users\Admin\AppData\Local\Temp\yourfile.exe
  "C:\Users\Admin\AppData\Local\Temp\yourfile.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1056
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PPEDVZNB"
    3⤵
    - Launches sc.exe
    PID:2148
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PPEDVZNB" binpath= "C:\ProgramData\uvmseyrtkvft\wvnncfkskedj.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5072
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:772
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PPEDVZNB"
    3⤵
    - Launches sc.exe
    PID:4856

C:\ProgramData\uvmseyrtkvft\wvnncfkskedj.exe
C:\ProgramData\uvmseyrtkvft\wvnncfkskedj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4948
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4456
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4396
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:460
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888

C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.exe
"C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520
- C:\Users\Admin\AppData\Local\Temp\yourfile.exe
  "C:\Users\Admin\AppData\Local\Temp\yourfile.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3288
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3784
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PPEDVZNB"
    3⤵
    - Launches sc.exe
    PID:4876

C:\ProgramData\uvmseyrtkvft\wvnncfkskedj.exe
C:\ProgramData\uvmseyrtkvft\wvnncfkskedj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3528
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\29c03ec7-85d6-4967-a4c3-5790ded274b9.tmp

Filesize
10KB

MD5
8f39a07066580f12c637b74ff3537354

SHA1
9a99bab58e322d180da7d38c3ca50778ec3160af

SHA256
e15521422175dbc98e577a6818065bae662b9a4a78d5edfe58088cc22aff5d90

SHA512
a2a0da722f65cd2d3e1f4ae1540502ce76b5ada043446af09d49f38944c766ac3159a455f41e423e18027866bb22f3d67421a15f79378e043eb8e4ff6bfbcb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
78ada849d02ab3e9d282d5e2c76ed61a

SHA1
6239ea5976ea52d17f33bbc8bd991251c4e071dd

SHA256
e013a062c6120408599ae09c01a4f1d91b3d5950f97d16b8de1f9ff643b54c8b

SHA512
8117e9176ce9aa0ff437e2cd1908b90a17cceed4cadfc6d5b2495e29928cfca42ee2a6cc723f78674ecbae5a736d837f3a5b3b17863e7ab926d2b31d7d9b5c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
254527af48b1bb87b8f30d70895f112b

SHA1
ecaaf4af72dcaf830cb6b927307dce7d3070e20c

SHA256
5c9510d2f89fdffe737bea630edad44c5687e8e33b51395b15f22a4e19c94083

SHA512
19225795e1d03ebbeee13ad2cfbfad4865bc19f8d3057bf3657564fa9a1ea3c656d66a8e5aa513f76daf95d8a9bb697459d82f06b4ba261a006c5c7c718b0569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
8392342c677fb8a3f72aec7015ee460c

SHA1
a06c2148ae722b02cb75fe1ee652687ae92cd96f

SHA256
920873f0e475521e9c8e93ec00f152aa820f9e4c8e4b2ca2fa2f695898ec64b5

SHA512
90e998535abe2d5786d7196a5ef5e7cb9fd72402091de76b5fa7955ffcbc9905bb934b10c85c20a21fdbbcd25e08ea9802a9522132b9a0ec8ac63dd4ad5831c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c01b3ba2c19bbdcf3ae1cd80c90e3d6f

SHA1
544077802fed7dba1466ed0e8bdc86b054b3b175

SHA256
9050a6cdcef8d9a10cb63419cb03a6d3a836a367de38d72059ee68e761714ca4

SHA512
e65a17eaeecbd03f97ae5281022ba0e636306f14230740de35e35ee150670b674e2fbd133a232205d1ff599a2c176537e6603400d3a664810fcca7050b15a068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
57c6205ed1a32d0747a7ac000a782d1d

SHA1
4a665412dc66b71f558864ad3ced70d66344891d

SHA256
598f92ac4c6e0ea09981d012654a8cf5bdddb01c6c32a979aa13624192841972

SHA512
b62f8fe1e48daa16ddb1a30e94e5ef9024a417fd7f10c64fe10695254a208239c1675743043193c279d29fc4d8c46c12fe764c700159ab82fb7902ab9bc7f866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6ebecd38925b47aef8d4e1369711711a

SHA1
cf2d65c235ef4ddd89bf75e2122e7e883a0149d8

SHA256
52dc488c607f946c05219763c08ad6547e936fe2478d855fdc67227b12e8aa0e

SHA512
865631936c97de3d8f7576cb4b4686de0afcf6b7006a4b2676eba1a9511310ffffaec9c54c69de94d827b19c9f1c8edd0c16e65de537929a10c402918f8ce249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b06754fd85961259be5886a8129fe82f

SHA1
c9209d2b2c453e3db3fd65b09d661170dbe20b59

SHA256
77eba04ff0f4d4ea800d06eb593e6557a76b9cfb48d1da8cfd7422d9e8766f3f

SHA512
7a925a28c1ebe0515026041ae47f7b9ac4f773e77466d207ff965679ecc49460f705b2b83bc68e07662a5d3761f7eb489ec56dc8410112230a0eef0e5c49a0c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
513e610bfe1931cfe21524d17fadb44c

SHA1
93adca33020566ed238e06f009cee7b9bffac629

SHA256
e0c22b1e3d701713525cb3ea5194ddba2ebd020d12b608b2d3b66ed3b6296c2b

SHA512
a542f82b39bf85ff43285757790894b2095fa961ef7a39d97917df5aeb94f5a9398aae0b9db2294404b8663e56d7d278890a4fd0effd6fd4c5d3c245cf0d9ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57daa1.TMP

Filesize
1KB

MD5
b789fc8033082c443ce62e0a1775fe91

SHA1
1eae2d491c65d272d53e6d357a8f0b419016522c

SHA256
73c250ca844f67d55a5daba429eb814d54dc1ab4502912e96a30a278c9b35116

SHA512
e17ae51607dc3022ba287b577e8c11ac529f0ba67aec0d628f6a4336d4cab56550a7d7810ebe51d28d305535d0d8891d03bb1e9283099eaaf019b93613fcfd02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d65d6e9297241b6dcd9e60c67db5ca7

SHA1
a1329f203fc2c2a152cc2f339836a29094832844

SHA256
bf8142694563bc151ab0e4b013e4ed8b8d37c35a3b11f272033b97033a5370ff

SHA512
deacb4edbfe68eefcbc70666260abba28c220108541fd3795581d836067507693219af9560d3bd99f19edd6672f70d86e2b61ba75d01bdaaaae4e05ffcc257c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6684becc6e0f5db5d8c80597a896f45d

SHA1
7f5fbf31ddbe8184e11ee350ac37040f6f3c9005

SHA256
994ef54ae571ac153a603cd514657bfeb34d8a3861128d34d0284fbe9aa1ba1f

SHA512
49acc12b6cd17bbe4a803f7dfe7351bfacbb4d83b72dcc4099675e4b1a8d3c31ef8d2ca7f8462d1362ed7928035c1ac21229576e1e78c0b958d7d72897f05d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pahrsug.wax.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yourfile.exe

Filesize
2.5MB

MD5
e57590d47b11531ec041089132696d97

SHA1
f408a9b9f37eb0337fab416d04e66347d6eb826a

SHA256
c35f2211c0a482b0124c79070767b26ea75750a0255d8cfa7e85fe2e1d3dd16a

SHA512
a56b18761fcc06e2d194f238b4e7612b0c6653465689512ff054c19f0cd65ec9f092a836452d3bb2883c17eec87b5412172476f5ebe5157afd960e761ddf89c9

Download Submit
C:\Users\Admin\Downloads\Instagram Hack Tool.zip

Filesize
109KB

MD5
953760081bb78fc4530383475831396a

SHA1
c229d5750fb0232062f8b1b3978e66c9a09a6832

SHA256
5104f6a82f5a6dc7b9e7e91d0d619f5eb139ef6d5abe08d68ecc086bd363a89f

SHA512
611729b87ff397c850c6430163a8da98bd088a0572230223357c26fd08971c1f3a4ff09b219abde660ad0fe250faf4f4801d573726e73223c82aac2a2f643c2c

Download Submit
C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.deps.json

Filesize
422B

MD5
c395346c50743da191f6dde6da6d5b41

SHA1
c61830f4fc6c140689e256104374dd2605ec398c

SHA256
6ad5646689568672398897a377126c0af2e8d55f2ed9644f06b2214666549b2d

SHA512
6eb1b0032adbd948d3a8486bc838ad0419a5575cab2cfbd85d66304913f24651fd24ec3b7ee859d0390d8b2046efde5260a05d56bebae64a900a431e9062e702

Download Submit
C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.dll

Filesize
51KB

MD5
08ca54f5be4049e94327b33e6d136c53

SHA1
943897db620f8bbe8d1d8178e291016725f95310

SHA256
fbe4c4932a4b618e9586e1424fcd6df553eb6113a434587bb5c2479859d97db6

SHA512
35b5a6a758dec1569d4818da0cb4e4974caa3a6c3ce52d8d7db3a0a97f51caacd1effa0cf13cb49fc11ba0d10847a7906448a6fb24e8fade22ba7d5b5e8f8bd8

Download Submit
C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.exe

Filesize
147KB

MD5
86a0ec733f941ef453b58460281c18a4

SHA1
2d4aa40933ce66582b579bd80595a895144fd83c

SHA256
a6e7a4646d31f26762feae4f43d8a3954d93cced09d763ffc47e2489227f9036

SHA512
acb2ec06cbb2e16e3a37fdb81c23885b13da6fabdde2f4fbbcf74f0934299f00ce8948ab03ee69687120123f0056f2a8f12b6aea333816fbafebe364603e7c56

Download Submit
C:\Users\Admin\Downloads\Instagram Hack Tool\Instagram Hack Tool\DoxingTool.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Windows\TEMP\sghvfgnfwpsq.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/460-425-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/460-418-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/460-419-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/460-420-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/460-421-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/460-422-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1616-411-0x0000016147150000-0x000001614715A000-memory.dmp

Filesize
40KB

Download
memory/1616-415-0x00000161471A0000-0x00000161471AA000-memory.dmp

Filesize
40KB

Download
memory/1616-414-0x0000016147190000-0x0000016147196000-memory.dmp

Filesize
24KB

Download
memory/1616-413-0x0000016147160000-0x0000016147168000-memory.dmp

Filesize
32KB

Download
memory/1616-412-0x00000161471B0000-0x00000161471CA000-memory.dmp

Filesize
104KB

Download
memory/1616-407-0x0000016146F20000-0x0000016146F3C000-memory.dmp

Filesize
112KB

Download
memory/1616-408-0x0000016146F40000-0x0000016146FF5000-memory.dmp

Filesize
724KB

Download
memory/1616-409-0x0000016147000000-0x000001614700A000-memory.dmp

Filesize
40KB

Download
memory/1616-410-0x0000016147170000-0x000001614718C000-memory.dmp

Filesize
112KB

Download
memory/3736-478-0x0000017E78850000-0x0000017E78905000-memory.dmp

Filesize
724KB

Download
memory/3888-431-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-435-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-426-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-434-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-438-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-437-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-436-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-433-0x0000019C10F50000-0x0000019C10F70000-memory.dmp

Filesize
128KB

Download
memory/3888-432-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-429-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-430-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-428-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3888-427-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4796-374-0x00000197D3750000-0x00000197D3772000-memory.dmp

Filesize
136KB

Download