umbral | 1bffedc1b7463821d78cf8a3922ae351f79264de77ed908689b583fc3dceea7d

Analysis

max time kernel
149s
max time network
163s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nurik 1.16.5 crack.rar
Size

437.3MB
MD5

ae6cda2c29e523d08261d8677262931a
SHA1

f1eed58893a381251162cc3ffb5186eb0b659aba
SHA256

1bffedc1b7463821d78cf8a3922ae351f79264de77ed908689b583fc3dceea7d
SHA512

ba9c5488e14de13b184ede8ffe46fed5afdeb7f4108bd6333341d3abfa2dbb9978de0711be86783295812a41de3d5c2bc5b32324ba38710f173a78cfd7d2c90d
SSDEEP

12582912:U8eyYu5LRaaSbmorqMWyMeY8ioclXIb7wRM+QA7gSr89:U8eyY00aSbmmpWyMT8duX87x+/73rk

Score

10^/10

umbral discovery execution persistence spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab82-36.dat	family_umbral
behavioral1/memory/4904-44-0x000001C7243A0000-0x000001C7243E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1012	powershell.exe
1664	powershell.exe
4424	powershell.exe
4852	powershell.exe
3044	powershell.exe
1556	powershell.exe
1580	powershell.exe
4748	powershell.exe
3860	powershell.exe
2872	powershell.exe
2064	powershell.exe
4776	powershell.exe
4860	powershell.exe
3360	powershell.exe
4964	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
560	crack launcher.exe
3420	CrackLauncher.exe
4904	start.exe
4900	crack launcher.exe
2752	CrackLauncher.exe
892	start.exe
2440	crack launcher.exe
2300	CrackLauncher.exe
4416	start.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\start.exe"	crack launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\start.exe"	crack launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "C:\\Users\\Admin\\AppData\\Local\\Temp\\start.exe"	crack launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
32	discord.com
38	discord.com
60	discord.com
5	discord.com
11	discord.com
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1920	PING.EXE
2596	cmd.exe
1724	PING.EXE
5176	cmd.exe
5244	PING.EXE
3656	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
880	wmic.exe
1940	wmic.exe
4732	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\DefaultIcon	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2253712635-4068079004-3870069674-1000\{8736BC9B-9A4C-48DE-B428-7A4109A02737}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\URL Protocol	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\shell\open\command	CrackLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1920	PING.EXE
1724	PING.EXE
5244	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1012	powershell.exe
1012	powershell.exe
2828	7zFM.exe
2828	7zFM.exe
4904	start.exe
1664	powershell.exe
1664	powershell.exe
1580	powershell.exe
1580	powershell.exe
4748	powershell.exe
4748	powershell.exe
4816	powershell.exe
4816	powershell.exe
1832	msedge.exe
1832	msedge.exe
3776	msedge.exe
3776	msedge.exe
424	msedge.exe
424	msedge.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2828	7zFM.exe
Token: 35	2828	7zFM.exe
Token: SeRestorePrivilege	2676	7zG.exe
Token: 35	2676	7zG.exe
Token: SeSecurityPrivilege	2828	7zFM.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	4904	start.exe
Token: SeIncreaseQuotaPrivilege	772	wmic.exe
Token: SeSecurityPrivilege	772	wmic.exe
Token: SeTakeOwnershipPrivilege	772	wmic.exe
Token: SeLoadDriverPrivilege	772	wmic.exe
Token: SeSystemProfilePrivilege	772	wmic.exe
Token: SeSystemtimePrivilege	772	wmic.exe
Token: SeProfSingleProcessPrivilege	772	wmic.exe
Token: SeIncBasePriorityPrivilege	772	wmic.exe
Token: SeCreatePagefilePrivilege	772	wmic.exe
Token: SeBackupPrivilege	772	wmic.exe
Token: SeRestorePrivilege	772	wmic.exe
Token: SeShutdownPrivilege	772	wmic.exe
Token: SeDebugPrivilege	772	wmic.exe
Token: SeSystemEnvironmentPrivilege	772	wmic.exe
Token: SeRemoteShutdownPrivilege	772	wmic.exe
Token: SeUndockPrivilege	772	wmic.exe
Token: SeManageVolumePrivilege	772	wmic.exe
Token: 33	772	wmic.exe
Token: 34	772	wmic.exe
Token: 35	772	wmic.exe
Token: 36	772	wmic.exe
Token: SeIncreaseQuotaPrivilege	772	wmic.exe
Token: SeSecurityPrivilege	772	wmic.exe
Token: SeTakeOwnershipPrivilege	772	wmic.exe
Token: SeLoadDriverPrivilege	772	wmic.exe
Token: SeSystemProfilePrivilege	772	wmic.exe
Token: SeSystemtimePrivilege	772	wmic.exe
Token: SeProfSingleProcessPrivilege	772	wmic.exe
Token: SeIncBasePriorityPrivilege	772	wmic.exe
Token: SeCreatePagefilePrivilege	772	wmic.exe
Token: SeBackupPrivilege	772	wmic.exe
Token: SeRestorePrivilege	772	wmic.exe
Token: SeShutdownPrivilege	772	wmic.exe
Token: SeDebugPrivilege	772	wmic.exe
Token: SeSystemEnvironmentPrivilege	772	wmic.exe
Token: SeRemoteShutdownPrivilege	772	wmic.exe
Token: SeUndockPrivilege	772	wmic.exe
Token: SeManageVolumePrivilege	772	wmic.exe
Token: 33	772	wmic.exe
Token: 34	772	wmic.exe
Token: 35	772	wmic.exe
Token: 36	772	wmic.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeIncreaseQuotaPrivilege	1236	wmic.exe
Token: SeSecurityPrivilege	1236	wmic.exe
Token: SeTakeOwnershipPrivilege	1236	wmic.exe
Token: SeLoadDriverPrivilege	1236	wmic.exe
Token: SeSystemProfilePrivilege	1236	wmic.exe
Token: SeSystemtimePrivilege	1236	wmic.exe
Token: SeProfSingleProcessPrivilege	1236	wmic.exe
Token: SeIncBasePriorityPrivilege	1236	wmic.exe
Token: SeCreatePagefilePrivilege	1236	wmic.exe
Token: SeBackupPrivilege	1236	wmic.exe
Token: SeRestorePrivilege	1236	wmic.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2828	7zFM.exe
2828	7zFM.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
2828	7zFM.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2828	7zFM.exe
2044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
424	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2676	2828	7zFM.exe	77
PID 2828 wrote to memory of 2676	2828	7zFM.exe	77
PID 2828 wrote to memory of 560	2828	7zFM.exe	78
PID 2828 wrote to memory of 560	2828	7zFM.exe	78
PID 560 wrote to memory of 3420	560	crack launcher.exe	81
PID 560 wrote to memory of 3420	560	crack launcher.exe	81
PID 560 wrote to memory of 1012	560	crack launcher.exe	83
PID 560 wrote to memory of 1012	560	crack launcher.exe	83
PID 3420 wrote to memory of 4824	3420	CrackLauncher.exe	85
PID 3420 wrote to memory of 4824	3420	CrackLauncher.exe	85
PID 560 wrote to memory of 4904	560	crack launcher.exe	86
PID 560 wrote to memory of 4904	560	crack launcher.exe	86
PID 4904 wrote to memory of 772	4904	start.exe	87
PID 4904 wrote to memory of 772	4904	start.exe	87
PID 4904 wrote to memory of 1432	4904	start.exe	90
PID 4904 wrote to memory of 1432	4904	start.exe	90
PID 4904 wrote to memory of 1664	4904	start.exe	92
PID 4904 wrote to memory of 1664	4904	start.exe	92
PID 4904 wrote to memory of 1580	4904	start.exe	94
PID 4904 wrote to memory of 1580	4904	start.exe	94
PID 4904 wrote to memory of 4748	4904	start.exe	96
PID 4904 wrote to memory of 4748	4904	start.exe	96
PID 4904 wrote to memory of 4816	4904	start.exe	98
PID 4904 wrote to memory of 4816	4904	start.exe	98
PID 3420 wrote to memory of 4348	3420	CrackLauncher.exe	100
PID 3420 wrote to memory of 4348	3420	CrackLauncher.exe	100
PID 3420 wrote to memory of 424	3420	CrackLauncher.exe	101
PID 3420 wrote to memory of 424	3420	CrackLauncher.exe	101
PID 424 wrote to memory of 1528	424	msedge.exe	102
PID 424 wrote to memory of 1528	424	msedge.exe	102
PID 3420 wrote to memory of 2472	3420	CrackLauncher.exe	103
PID 3420 wrote to memory of 2472	3420	CrackLauncher.exe	103
PID 2472 wrote to memory of 1476	2472	msedge.exe	105
PID 2472 wrote to memory of 1476	2472	msedge.exe	105
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108
PID 424 wrote to memory of 3060	424	msedge.exe	108

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1432	attrib.exe
2524	attrib.exe
2308	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nurik 1.16.5 crack.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21225:94:7zEvent9626 -ad -saa -- "C:\Users\Admin\Desktop\ConfirmCheckpoint"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\7zOC0B03F58\crack launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC0B03F58\crack launcher.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/SDxDej44bY
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ffa43cb8,0x7ff9ffa43cc8,0x7ff9ffa43cd8
        5⤵
        
        PID:1528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
        5⤵
        
        PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
        5⤵
        
        PID:4216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        5⤵
        
        PID:4804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        5⤵
        
        PID:1152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
        5⤵
        
        PID:4080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        5⤵
        
        PID:656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6759426138937557758,5160048655465662605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
        5⤵
        
        PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/sk3d_club
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ffa43cb8,0x7ff9ffa43cc8,0x7ff9ffa43cd8
        5⤵
        
        PID:1476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4173316691311917437,6659156795043156328,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:2
        5⤵
        
        PID:1308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4173316691311917437,6659156795043156328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:772
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Views/modifies file attributes
      PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1236
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4212
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3860
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4732
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\start.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3656
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1920
- C:\Users\Admin\AppData\Local\Temp\7zOC0B4B7B8\crack launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC0B4B7B8\crack launcher.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/SDxDej44bY
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9ffa43cb8,0x7ff9ffa43cc8,0x7ff9ffa43cd8
        5⤵
        
        PID:1060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
        5⤵
        
        PID:388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
        5⤵
        
        PID:4436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
        5⤵
        
        PID:3768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:2936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:4680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
        5⤵
        
        PID:1228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
        5⤵
        
        PID:2064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        5⤵
        
        PID:3492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3528 /prefetch:8
        5⤵
        
        PID:3152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
        5⤵
        
        PID:3436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
        5⤵
        
        PID:3284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
        5⤵
        
        PID:2524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
        5⤵
        
        PID:1496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
        5⤵
        
        PID:2348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
        5⤵
        
        PID:2444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
        5⤵
        
        PID:1964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13227873671677240935,12136416059969105607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        5⤵
        
        PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/sk3d_club
      4⤵
      PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ffa43cb8,0x7ff9ffa43cc8,0x7ff9ffa43cd8
        5⤵
        
        PID:2748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,15969588098250782506,16245588662206370187,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
        5⤵
        
        PID:3940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,15969588098250782506,16245588662206370187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
        5⤵
        
        PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    PID:892
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4284
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Views/modifies file attributes
      PID:2524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4604
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:3652
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4520
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2064
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:880
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\start.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2596
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
- C:\Users\Admin\AppData\Local\Temp\7zOC0B50429\crack launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC0B50429\crack launcher.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/SDxDej44bY
      4⤵
      PID:2372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x9c,0x12c,0x7ff9ffa43cb8,0x7ff9ffa43cc8,0x7ff9ffa43cd8
        5⤵
        
        PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/sk3d_club
      4⤵
      PID:1364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9ffa43cb8,0x7ff9ffa43cc8,0x7ff9ffa43cd8
        5⤵
        
        PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    PID:4416
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2240
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Views/modifies file attributes
      PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2912
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:668
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2240
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4964
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1940
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\start.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5176
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\crack launcher.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\start.exe.log

Filesize
1KB

MD5
5f36c205799cb2f8966c7d5130cea05c

SHA1
614993e3437ff9363c3eb698d7dba379a453dd6e

SHA256
8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c

SHA512
7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec618c8c5adcf03e5e21455e43303967

SHA1
f11ba5dd40e5cfdf084ce4a4de7b7e3c05a23225

SHA256
ce0e01010d44b5bd8736349409d5a4ac078b1e2d5718d783a3c424be401ae4c2

SHA512
4ca2a24872f25e96d6b6df1114372dd8dc18f6701cc143ddf336be48ebe6f60e22d52acee8333da0b415ec5c707d7c620dcfeb820209613d7464e208be36de3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e2312d2d3de5fc9fd9dafca91944a6eb

SHA1
e54dbd925e5aa48dbaa0f53ac964fc983945aa4d

SHA256
b5481c10ef65de9fae7d58aafd83150b4b249298345c02b8f3232beba85d96f8

SHA512
0540be86db5fab4b17fefe42e5ad336c7d95032861d903a6a4940cc8a9a70f53477bfbb023391cb62c08b9cd9465c4a9513578f9c0ed43b1754cd93693581631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
5d8fd45005adad79f26092820f69e775

SHA1
62c3613766a2f40b79d77f3f1c31549cdec1e65e

SHA256
837b370687b020d12df908b53235fa8b9d5e0477dcd13d7911e3de5473b0599b

SHA512
7ef99d5108eeb96980b4891f7446e1751576e3f9cb02dbf2fd20e176565218fcb557855d8f2ea244cb79e77f65c60cbfc091f68cf63f7dfbd75c062e1b206e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
21733ac16a9c86a96eeac42454038d09

SHA1
81ad128977a0710346fc6b4b0e542d864816b446

SHA256
ab5e823d97f88d67b2cc2860fca3ae01eafd4cdc8a4c923dbcd436e5d78b80b2

SHA512
b68f0f205576c899a5e4b0f247fdca5930d580a7c776c868616e777aa9649e12817e554202cdbf197ab7f439eafed8e09d8bca381b3ff9fdbe3afc99905aba12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
02c6480c7b2dd49e3f898843ccb1f436

SHA1
bdf81734f29fd3b7edb9541d1d849f1fa9ecc517

SHA256
e3ab48e358a4bc91acc29b2d7739c8e33da613cdf8f088673355edeed1472b31

SHA512
9bf8ff0359e49fec76d9efaceb387b9a3a58738a3290864ed74b1842ad7bb91e22b046c121f4bf8ca169c0226c037edad0802ff04eabddae2900b1b0e15ee637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
65afb168ee6fed391c8eab0edbed1d0d

SHA1
371df1bebd4c4dc6e99e46cc7a4480c987a49030

SHA256
debcb041c48b74783388f7822ac5b8e2d7d8395e97070c67258b2af2b8550274

SHA512
0804507066ead24c8fdc50900ea79ca7aa05a6f0b60e890d48d43be57ce185e2581ae20babc98ec2966b0f9862ed1dfa7272b0641faa124bd188190d0be3c5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
fb7f4faae3fad8061bfcd5a885df9302

SHA1
a73dc0cb83e3870ad3b803f839191f03048fb05b

SHA256
449c2954fa7d41204b3a96de897bece258050ee8b809e33cb5eec916b54ec8d8

SHA512
3e5ee6877e33380f7c3704b95c207400671403e5425d4b6f7f00bf6ee143448ce4479665edcecebf8ba7536ae7200484c5acab71227b5f4ee7b5e7c89c8d63ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
904B

MD5
ef237fcb0916372d4838c09da7f00655

SHA1
d411e68d09c34f29d8a1139cb801227479f69ca7

SHA256
be0ece8769275b6691e9795488a81c461e5929d811a39a19d3effffed5e2e3ba

SHA512
c629fdf7f50f2657ea863c5edf64eff376a3e18443db3fc802c22fa9bc9cb9009eefd6b9e9acc83b298430ad45f3980849e648fe7c53cc670afce0a76fc9a741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
84B

MD5
af942f530837e65229c0800befc0b446

SHA1
56b8a8655e8ba4d06d03feb9067f0615ef93dad9

SHA256
b0e443f7480f53936c38c42034db17a45a0ffebb38abcbe5ecbd660019ac9648

SHA512
e750cbd3bb75a6e088b9bb93ef4badc064c62034ec1259ae8471ca2940f2e45ae29cc94bd5d4b86c1cf45165e39ffaf09c8ebd6f18f178fa32d86937d76a4cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
328B

MD5
9f7b85c27d74c4fa820d77fa1ae532ff

SHA1
dd90c7df0de5b05343af21dbcb20b50afcfe9f14

SHA256
59443e6a2b18c313014faeb54245c5f928263dfaea55a5fa9492447851e1a342

SHA512
04fabca53b7d29224a33d00b3c693047fc9b4a482e951140152366e6428fb449798a0f199e06065272dbc52f8996815db47814299e8c478e2e5a0ba7a58ca617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
655B

MD5
167d9aff6521bd814703af0982271d31

SHA1
3ebca87df0e1ba3711bb58b2369d7d96e76b1cc7

SHA256
ae7094b8ecc12bf39f451a7c0f0fac1ea695c5c4e6f3752eea58433460b45fa6

SHA512
8967de4e572bc20dfc13caaee2c8f129dce4227729875c71a412137863f2637a96303952c74684f3fa7d10bc2c50e20bf456107d281fdba9fa5a3dae80d77acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e77912bc37b0f7039150d21e49127337

SHA1
f578cdb02a6666668f925f9b4471f5158580e003

SHA256
4d15302f158611eae18d49b0220316ae89e5c51f93b04d7851bc28885075dd35

SHA512
38fbdf1ae71b8d6e4691f173d2194262d6812fadcf2f1cbea637ba23fe0c1e6f4e6707f3b4da98bdf98c314e625b10e5aca3e7822f9e2a3453f933385e1f9374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2788c4b7ba30d0305a20beb5f5803a64

SHA1
92460fd14ccdf488b3c9de3f60a272af669cea46

SHA256
f57ba4d3feb808975dfc8793cb5eeaa2ebb0516b34f56b0306636e1bcef492d4

SHA512
2c9cc678b1297cbd64c0c13262a1adf6c48014932f2808ce61efd8241f71ba6f193556358f4fed9bb567feece6bf350703266d4b3f4c502a72333a25fcb8df6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5ebeb6dad07e590a3901d1c0cb31ec7

SHA1
5122b622d69cc05efa124a762a57bf1aae3f2636

SHA256
27bcc93d252447ac45a7a83e859d35c4754172b301a1fc23f919fd8462678c47

SHA512
99aaadbbde70bc8a04223d0fdc9a65554b0f8c1e76be4c921337e78331afad21ba55e32482896f8a9a7601a3ced5fe41ef7bd53ff94ed2b86a1c82aff9073e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72b648d1efdf1cb00b9177a67a9ce53e

SHA1
dbf575863e82194e9f8066a168d4f0c9528e73eb

SHA256
a5939aa7006bb01badbeb03b2f5a0d084d5068d024027c58cb42ca6dc961fa48

SHA512
9226b06e29962e24ffbc7707f9f25ad91e1ff593439ca224741c9d6ebce4adcfd85030019f410a6358e3bd19fff37d56c2939b8f6fa78ccea6334855b5df6d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9dbc3adaf25f60ed677d9799d9b4020

SHA1
c842426409552cec971e58de01454cbddcf174a9

SHA256
6d5e092dbce797b4a03dba33a27b1086f0359d6e3869191835616fe09c1ba9fe

SHA512
5eb9ff997c9d0183facc0c1b1137528cc0205fde2d755d9cc559ef9f007e8a54a7db83d1b15b37fceb621b4c7a844b9735f5f07bb75fa96e0faeebe246a2ed4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
129c2d9d59902e27e330f075b95169c6

SHA1
d002d2b34985fe839921e0f3aebca6549559da68

SHA256
810ddaaf8cfd56b85374e25e96ffbbc33c991782af0d5c7239a07b65e5eecb21

SHA512
0c04c09f579860f30650f4840afd4171e2aaa5021d7533455da34fdb8ce6a3610f8347275d11998776143dcb171e522a75fbab296d3fc42b4758ff08c57531b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13378502121293920

Filesize
2KB

MD5
164e171eaf5754ef10a16680719ad437

SHA1
ce44fd71afdf770764f9b92dfdb5ab3a5214af22

SHA256
c0aec82e9e22c9d4c6391822a8126cd916733b75bcaf6454fdbe4a36e322d880

SHA512
4a57831c759e317e7ce1ae8ce2d3c2aa194e282480e78729f80ea2f47b62d0e3ae2f4b9dd47312a4a58d68a706c17a9c9138a73966ddc55fa4b5d54ad6aff4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
f7b86d238d770b29baa2975448eeb8ab

SHA1
bb7adc8a431e61d956c7babb4065d78617aa55d5

SHA256
58b36f8a7cfbd2bb1402cdf0f55c9c75242cf418487aafe5a4d933ca59d6f25e

SHA512
101cd93648e826f29e2084479933ce490b91a1a045d7564bf253e0a8d5b08528ed0bbe6e37f0db29d690505cd690bca21a503f545f788b681eee33ab8dfbe550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
f92ae5dc53164c7fdc40eba44a6423ee

SHA1
5b7269c271cd4d4d28341515dfdbce01730357e6

SHA256
08af4612da87dde4e74d16c0d2beeb1d26f7d57ac93a6073386543ea8b145638

SHA512
7f7dc142ec1d116d19c8fd35921357a8f9f92bdb130b35908aa179416e7fad8630779cd12acb21d040e6850846a26aa47b36a00d830e8e4d3c0f1f01848823b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c5e4c21b5e3574e432b3a927d7dd2110

SHA1
9738563329d4810b86784d4d5797d7605c90d14d

SHA256
8dfa64b69258f795b6d87b85fa2b8a88c4f4b5c6d052fea3eeb10c0a8fc34a6d

SHA512
3f0d06422b62e736de61f94614954f8b544226125d7d5119d4ee9dbc9c3457d3b7ec3471c2cbf0934d7edb5fcaf35cc6c84bf0da6c5abd8ec822ccc06d0ce9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
cde8f77b7b156276859526f45af6289f

SHA1
f6009dc413d8ac0df4a1fae3e61450fd5ed6e39a

SHA256
e1f9f53d1dd57e3924d15cb7ed733e868103e391aad6dd7a5fa9ac1772bf6b50

SHA512
e6d8d4058520f2efd18fc7be2614ee22826fadc4da12f527f6b6268f32d83855a468c8fd6d24f60d4189d015093f6e9d5592a6513103242fd0850cf8176c262b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
62f20dcd4c7a0c38645c39d2d9d83232

SHA1
6a9c505e7fa228bf9e7baad48965bd17ebf107e6

SHA256
a0a1a39919e993300c3441fb75453a36f574cdf372141a1ff29d1495986827af

SHA512
1cf46e3122bd76c0440d917049e28ee86d396451f6382e031d36c59084edabf2f0588a04fc9d9ff9834551170f64c2195d1955ccafbc6f2dc8ce3752548c4f47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
ae481b65ae92a893cf02743efe509852

SHA1
7decf081053d0e9c666746e30639812a32e4a345

SHA256
d86ea9743188d60d2f6155b45f0293cbe2f71be82e14a5f2f45695d81cc35f41

SHA512
2253c975b0df2afc9b449d630c5ff50469ba5ca08aa5ebf7404aaa7262b134f9debc0b50492fc922f66e47ea72b43b8c99e626a9ee593c538d50046d82ae8d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
19c39e371e9abae8fc27526686da202d

SHA1
05c2fe32da771688d16a466d3ab885419652df5a

SHA256
837d3c49334518a6c59c70a62800645fc60838208a746ef20d1bca5db5d79b1e

SHA512
1929149e9b9360bdfbea12ead7950152b0ff0ae94beebe5cef0662c1188787633455fa1cbe7aabf65ee43e5830fa027127883511e5a2415eeb4c981da0f399fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
18db61347b2da91f6a473a82113e522d

SHA1
2c1b39f35ea34e21b2c1fc40e02b91655db1f7ce

SHA256
99c9754ca17982e1d616c79a510f51fec64aaecf700c666d9df45aaecaf8424c

SHA512
2ece1c75b5b0e6f737f67bc266b7c7d0672328e11af6df53faed70e22e743cb3ceab20ab85236cecf71ec2c6d0af91098c1f51ee4c1bb39d9d49f86146a8c412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6db223ad28a5ea662b3d36507c59035e

SHA1
2ac5520860990d25ba648c13891b32678f1e3718

SHA256
a995b0d4a88e8618f1d3d56bcb015935cf51c7e23e46f7de643aafd13564688a

SHA512
47dd170eb429adcfebcc77ba41ac753660f6d2df4fcb73c4195e549c10e4c96e495e3dd3185e2cc727ac2e6133ba24df96d414a21eae938436c6be428e9cb0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16e8f2405558531b37f3ad0649739108

SHA1
bd90a83dd7d9691a81cf38f0b71c43da08015660

SHA256
1d7cac52cce41fb26c24dfeb26cff793b9c0d07dee9c5e82e4ab91a9aeea2a73

SHA512
01e7ea22f60641c9632f0a629908e02c83e9a3f4d9777ac746d916c5a4c1ab15cce0b3ffea05a4bafff994c3e29ba87173c22bd35867d6b75c2be227cc69e4de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6da6916fa9245b1eed0e6943fe036725

SHA1
55bc5efa8818bbcf3c64e14f6ba628482611adc7

SHA256
ce33a3ee1e865e4ebedc1860982873d85858d36d9810e45434460a233d65e864

SHA512
4c931e7357b6189a0c42177e297cec0899af892137213939d65f4be37d117d1f70130096b6031e1f111b736182ae17c024b47c8e4fe3f570ebee1c0dfc7a63d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
5e592a4acd04ad8b8f6e53939d567be5

SHA1
ee326ead4ad8eb7b7d3d8b12db04512b70da54e8

SHA256
ab6649bf19c81b847dcddc863d78cd389115828e379c5ef43c654038e76765b2

SHA512
cdd26f6b49a619642653efd9c5063afae99a13bea7c1277ee501ece36aa844cbab71e4d0fb0016b002eeac3f399e66ef555c4b465656409b9c46a3f820e409c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a3470a4b3c0d706f2ed8af047986c02

SHA1
cab3ccd70e537ff7ff9e4be5cca9f1494c0450af

SHA256
288696fdc06f2f3d697460c013c41782c65462647981777f16d98277028dcf05

SHA512
cd7ceedb74ab0a08b3f986d534b596578b430675f80b063133896904d190e0c6b296d74fb0de423f93d74bb35f5dbfb51e123127054e1197dd3453eefeac89b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1960280314c735639e728f9b727caebd

SHA1
f1e8bccd56bccfa742dbf0216527f5e16a66b0a7

SHA256
da591848fd7cfbbb0e047513bfb88c374c4332c4a2ead0d394feed0c107b465e

SHA512
9ea63b67f4f32590c5268f892752b3192c9bd6e905278acda7c8fdb93d62291444b7439eeb0964f5ef148e2562891bc047fdfc47bb30853cf67f832d5b6bfab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
711b161528f4959c4b7463036c7324ec

SHA1
53b30cc796c0dfe0cd4c4406202a19139cb5407d

SHA256
7c077fb04d4911778ab648b657b43c9b464393d734dc7fa029ee0f085c6a5638

SHA512
565d0e3e229894de91ad37a16c261bf380e983ffda750f32e8ad361c0606c62043a0188f45d252fecabc6438bc9e7b2c424b101073162ba9633bacd03b42af9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb2537b95d76b36f1110219bde127d2a

SHA1
b32ab5ea919207d25749d8af8b21e954615ddbc8

SHA256
b270e73c312010b0e028879f63897e95e4a1f0d87d4964a18d587160c7c4797c

SHA512
113b0ea81a3af8902a4c441f29a90b43146089688deda301b5e08c2366a297c464c527ffb5fb707a4270bcad8c72331b512a87301365d759036ea2222be8806b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57f794c9b1ba6bab003d28e1a6173f66

SHA1
4717a94dd2054260087a84e127bce1c22a24ccbf

SHA256
bd922311943b8e7af01ccb01354f1da79ccb9d2217cfe3455a0c57c2b09a2074

SHA512
475c5df9440548f058e9ca1930efbad7b8448aa447e54e18377153fd1453a4adf3300b9684db04c8531d4b9d5011f90affed3a5b833c73980a85e1a459d471ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a0e27123ec2730bd5d89828fd6a41cc2

SHA1
d1099e93025598a470d6cc9c0549595e8f8e9a7f

SHA256
fda70f35a9cbde9e93461cd72d0c668f964d8b07e5c43322e47ed602ceb177a9

SHA512
b73fba4357362fa2057fe5216490da71958e1edb6fd08fe7cd99d214a8a1a5381ff304584c7969cedfb790170ecd65cbe96e006c5d2e41ceff587138ba244d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ANviZjHGyyhOkz

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cIKquwlfv77uQb\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
b8185d4f87c8aa0eafa38fe8d5357d66

SHA1
1bd0a795bbac0211cb39f34bf014b1cf0fa597dc

SHA256
4f8aadf758647f7b423b5b31e36079e3ef0f3015bc5d82a924afe54378507661

SHA512
acb2ed244ddedef7bcaaef88852d2a9a599ffa476d2ba6414141b7cf60c5911e709b79a5127eb3419b551a497871d438fc2771aa429c62bd0bc329f9da78bd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0B03F58\crack launcher.exe

Filesize
1.2MB

MD5
0f55e889e593cf4c0e849828aa046474

SHA1
fcaa844ab8bd537efb24bf214c61ef4cc8e61c56

SHA256
0487e676604e90b56d78d20456ba9ac744cdcdec1d136bcd58d69582c06e1527

SHA512
59b1987f2a07abd01b1e0850ca66aef82118fd40a32539424c6f0dcfd2c87b8269e7d69fe2a86f926628203df8e646cdc240e97a0b477832cf0cc6a91e0437ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0B4B7B8\loader\mem.cfg

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0B50429\loader\lang.cfg

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

Filesize
102KB

MD5
c137c5f5287d73a94d55bc18df238303

SHA1
95b4b01775bea14feaaa462c98d969eb81696d2c

SHA256
d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0

SHA512
ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pknkdt0u.w3l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTCVUaYFI4BDOQn

Filesize
20KB

MD5
b84372401f0d4905440d6f6b996619f2

SHA1
2e9fb03869aa1f6081fc701e5081971b264b91c5

SHA256
9ac83baa61319340b9442d70fc70302a1ae49c8a26a09c6ef0496bf7ec03aa2c

SHA512
623b8f9ecd51329d05613a5defef6f53512a25dc5528a8295b467c73a8da1ef506b7aed96221cab3365d99398bb4621e11623f4b07905f6c2c8d952db817c028

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4iJiTqjQX8V4cI

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
229KB

MD5
b3606e42801e841a9d66fe3be7b8a7c9

SHA1
d3d637c6e2c1408649e14b4682aa9b525ba58237

SHA256
bfd0afbd2a542685b726c61c311295c44da00e4281cdf05f9073552115104683

SHA512
a2452b44c755b35b7276663286346159a0623a04b625acaa565d7444b3536b1241af0661b89dc05f42b3f8124d86ca691cdbeffe0c05ad69bc88cd9dd9c0fbf5

Download Submit
memory/560-12-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download
memory/1012-29-0x0000018843AB0000-0x0000018843AD2000-memory.dmp

Filesize
136KB

Download
memory/4904-44-0x000001C7243A0000-0x000001C7243E0000-memory.dmp

Filesize
256KB

Download
memory/4904-67-0x000001C73EBC0000-0x000001C73EC36000-memory.dmp

Filesize
472KB

Download
memory/4904-68-0x000001C73EB40000-0x000001C73EB90000-memory.dmp

Filesize
320KB

Download
memory/4904-69-0x000001C7261B0000-0x000001C7261CE000-memory.dmp

Filesize
120KB

Download
memory/4904-104-0x000001C7261F0000-0x000001C7261FA000-memory.dmp

Filesize
40KB

Download
memory/4904-105-0x000001C73EC40000-0x000001C73EC52000-memory.dmp

Filesize
72KB

Download