xred | hxxps://cdn[.]discordapp[.]com/attachments/1311867381668380723/1311875530189963294/Cracking_Tools[.]rar?ex=675ce7cb&is=675b964b&hm=cc7c09037e00883d7074532dda017c879d9b9907d05aa495ae3bfe0d58f546c3&

Analysis

max time kernel
600s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1311867381668380723/1311875530189963294/Cracking_Tools.rar?ex=675ce7cb&is=675b964b&hm=cc7c09037e00883d7074532dda017c879d9b9907d05aa495ae3bfe0d58f546c3&

Score

10^/10

xred backdoor discovery persistence pyinstaller

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	FileGrab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 12 IoCs

pid	Process
5136	unlicense.exe
5716	unlicense.exe
876	unlicense.exe
5332	unlicense.exe
5540	unlicense.exe
4816	unlicense.exe
5348	unlicense.exe
5380	unlicense.exe
3584	FileGrab.exe
5924	._cache_FileGrab.exe
2452	Synaptics.exe
5040	._cache_Synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5716	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
5332	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe
4816	unlicense.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	FileGrab.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	api.ipify.org
155	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000002414a-1930.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileGrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_FileGrab.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FileGrab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{DAB74EDA-D7C0-4B2A-9EC9-5CE94F576787}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5012	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
1216	msedge.exe
1216	msedge.exe
1276	identity_helper.exe
1276	identity_helper.exe
4908	msedge.exe
4908	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4212	7zG.exe
Token: 35	4212	7zG.exe
Token: SeSecurityPrivilege	4212	7zG.exe
Token: SeSecurityPrivilege	4212	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
4212	7zG.exe
4212	7zG.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2196	OpenWith.exe
2196	OpenWith.exe
2196	OpenWith.exe
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4872	1216	msedge.exe	83
PID 1216 wrote to memory of 4872	1216	msedge.exe	83
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4252	1216	msedge.exe	84
PID 1216 wrote to memory of 4856	1216	msedge.exe	85
PID 1216 wrote to memory of 4856	1216	msedge.exe	85
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86
PID 1216 wrote to memory of 2532	1216	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1311867381668380723/1311875530189963294/Cracking_Tools.rar?ex=675ce7cb&is=675b964b&hm=cc7c09037e00883d7074532dda017c879d9b9907d05aa495ae3bfe0d58f546c3&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8974b46f8,0x7ff8974b4708,0x7ff8974b4718
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5676 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1184 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,12612352477129727299,16176493949697561710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:2376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2028

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Cracking Tools\" -ad -an -ai#7zMap3928:90:7zEvent26101
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4212

C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
1⤵
- Executes dropped EXE
PID:5136
- C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
  "C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5808

C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
1⤵
- Executes dropped EXE
PID:876
- C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
  "C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5380

C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
1⤵
- Executes dropped EXE
PID:5540
- C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
  "C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2820

C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
1⤵
- Executes dropped EXE
PID:5348
- C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
  "C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
  2⤵
  - Executes dropped EXE
  PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3316

C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe
"C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3584
- C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\._cache_FileGrab.exe
  "C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\._cache_FileGrab.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5924
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2452
- - C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\._cache_Synaptics.exe
    "C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5040

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
802KB

MD5
f4d902e70524666a52182720fe208ab1

SHA1
33774655d0fc10bccd652e95b18fb428dcd80a38

SHA256
6eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e

SHA512
5bf37506097654f384f12f2d90fc9888f0bb5eaa548033a616ed16cbc90fd7a6483aa1b74f7423925e11f7f826e42d5373ac1c88ab7b049e63e23288ac656d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
16KB

MD5
61e4576e6aa91cd435fe92f085fb0a3c

SHA1
fa21a6bad3a461c8f0e27b75913c8f1cbe0b2b62

SHA256
78d8aca4e50e6ba58890b68f8c3d6e562ff0b16516a0c3df56be18b69dca6aa9

SHA512
b250c2940f7ca24b763bfcd4d39d0022d6441bad54c415b9848ef949f8871f219289f044301de03313bf8cfa53bb2797c5590acc1b32889b0641f7a13b710bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
24KB

MD5
393c299e47c19be05aedcd791517a68c

SHA1
aa99e53e61c241ac15cb261ed804e0bc6cb8938e

SHA256
a5208d79a8ac97ea138eff1f5b7a891da746832266953833e91d811127036d56

SHA512
b72944b87a89a1768439f403a77c978aab86c61ec493c6fc55cbe1208a9cde0152e50931950b09d715d3ddbf77e267e583f99e0a0bf72b924846ffd92f55d1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
857KB

MD5
9a2aa359b62ef985aea065fbc34878c5

SHA1
b9bf545f2c06dcf8d29bc01d180baf5169b8b24f

SHA256
d82ce7e635c351ac76f9a6fca07ddc3ec323d84560484bb9593b27609066db18

SHA512
800a0376f72ecb8eee8eb2579a58c23bbd1bcf931d95c87528dd3168bcefcffa54216eccded613654449a03ee8c47492c7607e2c14540192c35e807ad5e4a17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
36KB

MD5
63c5621b66e16ef6e61baffe0cfa222d

SHA1
1c3c0bf5a93bdfc9778d5e76ac7e263ab657d0c8

SHA256
80cf6c47b53f34b7a27f2747ada53a0bbf78a6e1574a263754b9077fb083f96e

SHA512
97a3f14f0a15551595cfc0926b910c7d5fe1399dc03a1954a25ad315521c7e0f01e33b1e9d9d7557ef2d3bb3e6f1845fb05a4455cc6e383d129d8ed7aab640f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
52KB

MD5
0ff93f4148df13512a8c5d55503f21de

SHA1
379b6f45eba8cf744bdd0d4cd62400c2325aff00

SHA256
3ce20ff2c00de9b19646f4dc30fe14cc46f615761dbb52573cd15f7a58ed3d66

SHA512
7b2e9977c46a9e07ae4fe8b5065847469aff3ef8415fa62bf45c324709a5fa188a5c7cfe7de1c85e668332be810097f657175eda8fd93566580ac2d64bfb7fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
77KB

MD5
8db17305ccff0b25d05643d4406329eb

SHA1
7b6f2bb0d57ad0d7d42cd670123a436d58bd34e5

SHA256
e21003b724f1b1680beb8b7a2b6dffd891ba2a564c1d2b11431d5b380f3a8ec7

SHA512
fef084076c00ac800d10a2c0eb795fccba0f6e1465c6e85548d63ae13850411d0d1119f7aa6677d5d27140ea3d525e1d1d86b91bfbf2968c2bcb325c3edf8438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
104KB

MD5
0a7a56911d5debf84da3e5b6298e883d

SHA1
d809f4607d3b8fe158cbf474ab1f0fdb24088e8c

SHA256
1acf3dd682f58d103ec0aba76dfff89c618ec2fe48c55ee233be3fb8fcf7204c

SHA512
add6d876f94b1eddfa1cb941c319f5fc80740739b022a9f42e4c698e2de1560a3d0e6aba5d089ba41ee60ff211b14a0462a3604b409353b80326db4e083d0021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
144KB

MD5
0491803b794dc4b37a5d3de175f72d58

SHA1
c8b2e7911749f7c92b9e84218456e0dc3a48c8c8

SHA256
cd2337e9bbea270bd44a011be6cf3f401d27bbc89b245234075d5af9a05089f8

SHA512
8ee6954e6ae4a409c4f2c0524a5b3a35cccc5e6c2b94a7ce4cfd8c0cee7d956d6fda160ba15c67294077f220beb846dce46c37c8bbd4cfb419431b96c8a0fe74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
29KB

MD5
2e8a8019bd404e2f89872302b0008d90

SHA1
97f008622d161dd529230caad60f9970d4a50477

SHA256
905d261e62788a9d8c0b2af6df891045d68ed22cfc744800b4c422f31e43b427

SHA512
523ef01890fc35ecd7439244f1bbb996d4e9cb9b4c2ae12e552f00127739f63662b9da7f6685439de2ebc5f5e593bc63e340323559f5d9c7c676e1339ece2c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
27KB

MD5
f81f6b2a4dcd19e0fa3bad790ae1d3f5

SHA1
70b6513bfbf53ca391f165e87f70aff360df1952

SHA256
e922dadbb7b48a72f5e6c63ab718f6c5b22dd61b8d8b933fb3b5eaf470f25d5c

SHA512
0e6618da9e6dc68ff7c4b8f97bcba3515ce2c212e809f78b4718d250a52922306d37d16eced428de501a23b7a4b9c2791ff90479cefe96dfb70996a581c26c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
20KB

MD5
efb9f6a1680c9d3ce3abe4d5a75c7c6c

SHA1
a454374b7f43f129d4245e73c2048849a78768c9

SHA256
96919908509422207d3fe3dbdf26a7bf0da651dae2b8481c4dce4ef0812add18

SHA512
1d6fa00634b899162a4e97adf05cdb97ca1eeaec3f43bdef4412ccbe4ae560ee19073817aab38508b724f177e7942b07982acbf918750fad0385d3b5db3d124a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
75bc36eb90da1d6f431bf16acdfc2cb0

SHA1
d3e12764f3e8a5e71101b5cd89168ea851e3e59f

SHA256
2cf2fa39995f3ce341c0a4f4a76ab5d98b1f5b0b37192b0ae623e3f6fc81a7d3

SHA512
d0cdb627ed1787003f394e92340bbcf0db01a8ce51a0b541651b4a8235f755bfe50ef3afd9d89abb6eecaf606ddec0f175a6953d40f0e5bdb9e3ceebeebfbed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
494B

MD5
b8ac3c2dd25001d9d558e2511eff6617

SHA1
0b40e4c7889f81783206e884c1afea3857386ef7

SHA256
fb38546422d499d0b72689bbedfb8d4b43626a85a45c086619a4c90df775a1d8

SHA512
0eaa521948ce6e85d38e46044d39b3045d14219d7f79d4acc2c1004e50ca9985a8e5a97f7265ac038923f30351a7ab7418d152b70fc028fa42d3be5f128066e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4c166986666ad5ea4c51816954170fa1

SHA1
c0bfae6e0f977129bdbf54dff7de92979e533d58

SHA256
5845958744b7ce455a388de1576842daebf94cc763bc0d21a7455247347bc6e0

SHA512
27b0b564aa5d96ccbb2ee6aab253725048b3f591c322318acfeb8e2042e31820ced61ca5ca4cf6e5a703803adf9436e5062deecae626adbd52109558a36925a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a31a02e252ffcbf717f8678a7f820a89

SHA1
bcbdb5afc5e4738357b9265550dec140acd3d7d1

SHA256
8431883d9befa9fec8ac0f4ddc9c581907dd4262c83b03b62e69964d39540198

SHA512
43e2d1c8381cabf58b4edd3b5786798e04e74dbb3a88c18e9f588a8fa27e093c0fa4f95c2973f5a1a49fd05be244c695170ef9b3c94fb8dc4a144a58a7560c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0b1279eef163cf59c205f037dec9428

SHA1
d60204737940b4a8ef2769aa056a082fbf77648d

SHA256
a93c882c3ad9dc899769299f2d1238449eebaa46734c2277a0cc200c9fb25ff1

SHA512
e3608edd65da150442c4be8b4b6430b846c02002ccae481ec51ae9b2ce18f6649232852471aafe1fd3c82866f887097e3059601dac807227660479b0dd575054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
081020d7d584ae4427543e373226f763

SHA1
ecebae33504b93d631d4bb14e6f6677fe7678cec

SHA256
d611145f78885c0002b2106e62665a7ec45a2a3ea2cd14caaad2ab1e8808eb11

SHA512
00dac7c32b58336b42f327718a16b2ee084400a14d47eef7b8d9852129dae7b6b27b86e27e0f9fbbc9f263365c75cc6c39346c0c2fca7306eb0ef3dbe456c1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf5e8e991920e6768480933e7a324522

SHA1
42fa6e8f207f00e3dd5d46d9f1e0327091cd19e9

SHA256
694b3af065d71aaa3531fa9d2b0f3fa58ef87b9378c34c15abd885aae58904b7

SHA512
498f2e2782ff3176ca6b7572a9b28adb1eb71575bbc91dc8de4ec48ccc644685f7cb7b86deb1ee754ff082c677ba57758b11f22f909ca3e381a0d1a092a3d64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fb37b6d70ada163ad0db35aa7f7e0b92

SHA1
b6dc12bfa9e9e3c11bbd1257cb26c0566de0276f

SHA256
bbd14632e4ffda68b2707bc3827c937ba3e8c97f10b59dcf6bde8412eaa08973

SHA512
f96c362bb1e3fda9e2a991fe06092857810736ff6e914d646b690007bba8bf13ea7a3983e79668aac6b598a4aaf3d779c20eadbb30de008ee94300e9a8671a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
383274db358a757e9e053073b8080cef

SHA1
b4de211902bb1f5fc7cd458eb86e13063c6b4259

SHA256
b5782cdc33eb3a3a15f5c700c134262dad6ebd650fcf72d6bfa12ec769c4fe41

SHA512
2158c20cb41990a6836d7cab5b0db2e6c4a5f463895c4e661c24caa186cba45b36822fb356b93158133a7609c444c48df287c31f11682cddf178b1415c76ba9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
16fb8fcb21ac36db155fcff2fcc2c5da

SHA1
8f79f89b7fbe0452b27943f2ae011b117d640a79

SHA256
f050316e516138ab32f5e8ca6e0db6bb1952f0604c4015671d3c413e98ba7242

SHA512
34c9c85dc10bd24434549bf670f7466bf41b3d7560e196b91260d8c395c6fe42a056d565585e90a51ca90d297cc3310d7243578e7c840c3153d4f33bd12d7c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
36774d94186e68792051bd7cc9f41a8b

SHA1
37b472004dbf6ae01cc1561f574fa9b83b4dc1d7

SHA256
2cc4ce9a84ab552d0293f9e884a4e921c16bc7ec3f5028bb5d8f4b7e54bee3bd

SHA512
c99879068f707ad9a8ae0de9f3fa9c589c1b0f7d982a14eaef48700d8459d5ec862d711bac311ab9e131de39ec80d059c88d7fddcab898dd50bf84975edbd30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26a526c76abe4e3b912af256ac968170

SHA1
60701303a808f6c1a63c3643fadd5c642b1c19be

SHA256
2ea9b4b6c25848c712b55d78e1654d0a4376f9a135e758cfebf5bc40a4f3638a

SHA512
e35f3e4a6e7afd127766f9013314750477b6ddb1bfb2962ecd4cf8d9a4d0567c9733b58c3473ae73edef042d7de14321f72e0216796485fbf52d0c366e8459f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5fcad177cf440fbaeca6e26494f4c462

SHA1
fe1c4cb3c6487d06828a1e562a21a805bcdebc40

SHA256
97fcdec95061c070fa144d564b8883ee84a63e774c5752f85793eb3f81bd8d07

SHA512
81b0f348ba98255f748d4fd20b71aa60889da49ca0245a5624d0753d852a18ea1f70d35818c641217625f920df7e14801fc7de4a653428055cdf39bde8be44c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5d8be98a446f468db8d480035508585

SHA1
7ececfffe107930322ab7f4f73d10205051d812c

SHA256
c63fa952303c657c448e5a5934e4075e4e28b351e1cb5a9cda7abe8e9f5be57d

SHA512
f2b7777a9586c67085a6a09d334c6253d9c913a696d98cd3e6ff3f67926ca2bc589c62b00201e7cdc866b7bd9eb7d8c61bd91466be8e77823a1091439668a438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9318d17fea95dbfad507d6b2451874ee

SHA1
eed8481218bfe087ef9402772955efe5a258b515

SHA256
56a0c264c96666386d8d40510f09799314872fd3df22c56b6ec1a09cf414d428

SHA512
a0fbe3be277a63858599f9435c50778cf297b7d4349fccbf9b9e70c88db26909fa6c425fd6696593b1ce2489113a965325f5a3309bc6855e54d34a1511c8c41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f33842c75d9d0da2904faaa343577fde

SHA1
5960eb616cbb277d0e0c7766130af9b0cfb0943e

SHA256
9da309f25b208250ccaec726e3920f95c8b51428441217bcf6f10abd6f784fb5

SHA512
50fb2475a92fba099f13e6c3cf509e24475dae5899e4f45b39fcfb3d25a1d16c9bc5eda335bc96dc4c6217d9b1d8d45c0b76a03c99dbb9d1123bbb59d66ae12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a75fc.TMP

Filesize
37B

MD5
661760f65468e15dd28c1fd21fb55e6d

SHA1
207638003735c9b113b1f47bb043cdcdbf4b0b5f

SHA256
0a5f22651f8fe6179e924a10a444b7c394c56e1ed6015d3fc336198252984c0e

SHA512
6454c5f69a2d7d7f0df4f066f539561c365bb6b14c466f282a99bf1116b72d757bef0bf03a0e0c68a7538a02a993fc070c52133ca2162c8496017053194f441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa69af5c8b3787cf5d97d8cdaddcf9b2

SHA1
486c900c1db5cfba58ce5e7294b064b1089c4a18

SHA256
2e156cc909e10160f17eed899a1a1819c4e77ebdf42998e48adac9c908959975

SHA512
74ae13190d3f08f56f8bf5280807055dba2b64d92c4894d0fc462d24d504a5dc458532d65ad7a4735eaed1659f32cda7973f6664235a5b88c6ad7368ccfe4d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88d82dc33af736dfd58d65d2ca2af889

SHA1
3813973eb870cc07a7afab01af711d773bf3cbf5

SHA256
b851cc834c470bc0cefb22ec43bf39413382cd66058273f4f6f642d8acfb281e

SHA512
fbae814a04720c63aa4abd7ebbbcd9c626ad4f997bc2dedede8851a1ab1fd4ca37fe262eb46295427b8e2ed26bcdc86ed5e0f0b224021f6b4d940ae86e990f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\94095E00

Filesize
25KB

MD5
55e931481a1d0e6aad2d1104fcdc259f

SHA1
e7f95b678d4c51ac1c8bc56d25add69c6c071e95

SHA256
56e40fb2602b88cf44026fa553ec536a9f11f69260d3d5db7814136704034767

SHA512
86ece7de9ed0a30e99662ccd2077fe4f93f5c0d66365680e940abe302dd5cb33571c857233eecd08b8a3b9f01dbf5a201ce9c83b1428364fbef9b2c391ed88f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_asyncio.pyd

Filesize
63KB

MD5
79f71c92c850b2d0f5e39128a59054f1

SHA1
a773e62fa5df1373f08feaa1fb8fa1b6d5246252

SHA256
0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980

SHA512
3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_bz2.pyd

Filesize
82KB

MD5
3859239ced9a45399b967ebce5a6ba23

SHA1
6f8ff3df90ac833c1eb69208db462cda8ca3f8d6

SHA256
a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a

SHA512
030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_ctypes.pyd

Filesize
120KB

MD5
bd36f7d64660d120c6fb98c8f536d369

SHA1
6829c9ce6091cb2b085eb3d5469337ac4782f927

SHA256
ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902

SHA512
bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_lzma.pyd

Filesize
155KB

MD5
e5abc3a72996f8fde0bcf709e6577d9d

SHA1
15770bdcd06e171f0b868c803b8cf33a8581edd3

SHA256
1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb

SHA512
b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_overlapped.pyd

Filesize
49KB

MD5
e5aceaf21e82253e300c0b78793887a8

SHA1
c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde

SHA256
d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a

SHA512
517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_queue.pyd

Filesize
31KB

MD5
f00133f7758627a15f2d98c034cf1657

SHA1
2f5f54eda4634052f5be24c560154af6647eee05

SHA256
35609869edc57d806925ec52cca9bc5a035e30d5f40549647d4da6d7983f8659

SHA512
1c77dd811d2184beedf3c553c3f4da2144b75c6518543f98c630c59cd597fcbf6fd22cfbb0a7b9ea2fdb7983ff69d0d99e8201f4e84a0629bc5733aa09ffc201

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_socket.pyd

Filesize
77KB

MD5
1eea9568d6fdef29b9963783827f5867

SHA1
a17760365094966220661ad87e57efe09cd85b84

SHA256
74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117

SHA512
d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\_ssl.pyd

Filesize
157KB

MD5
208b0108172e59542260934a2e7cfa85

SHA1
1d7ffb1b1754b97448eb41e686c0c79194d2ab3a

SHA256
5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69

SHA512
41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\base_library.zip

Filesize
1.8MB

MD5
5327287d65cc9ab041ce96e93d3a6d53

SHA1
a57aa09afecf580c301f1a7702dbbb07327cf8a9

SHA256
73cdfcec488b39e14993fb32a233de4bc841a394092fcac1deb6ee41e24720ea

SHA512
68fc996b4809a762b8d44323a5d023ba8a39580039c748bc310da9878c94fe1685709ab959365ecb26a5ee1a82e65f2eb19344f1f03d4dff48eb87a403a57c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\capstone\lib\capstone.dll

Filesize
4.8MB

MD5
1c0a3d7dec9513cd4c742a7038c73445

SHA1
8a7dcf7371b8c6711b6f49d85cec25196a885c03

SHA256
f59984896a7f3f35b5f169e3d0cc6f4429a363b0f2bf779fff8ef4ccdcc6b26a

SHA512
35182912d37265170b2ab3b2c417e26e49211eb5006b7fe8eae90f3c1c806db2477c5652065173e35f5ba7be4155a89286a6831ddbffccd82d526839bb54a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
e94733523bcd9a1fb6ac47e10a267287

SHA1
94033b405386d04c75ffe6a424b9814b75c608ac

SHA256
f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44

SHA512
07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\libssl-1_1.dll

Filesize
688KB

MD5
25bde25d332383d1228b2e66a4cb9f3e

SHA1
cd5b9c3dd6aab470d445e3956708a324e93a9160

SHA256
c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13

SHA512
ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\lief\_lief.cp311-win_amd64.pyd

Filesize
9.1MB

MD5
4b71e3409eab0ff2c597b708aadc5d3d

SHA1
cd2a29382255a86dd2f402f7df9dfe84515f2e07

SHA256
b6cea0f27e56df286ce2c975e3ee95af5d8fefd440d191d53a0aa0d0c9850d4d

SHA512
45c3fa067748ca303c8ed9dc7a67a692065457c3b2a54d8a333b435017589f8232ac9b97f9fcf6e0aeee34efedfaba5a71f60bb19a2acd0b0f9410d3df3fe298

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\pyexpat.pyd

Filesize
194KB

MD5
9c21a5540fc572f75901820cf97245ec

SHA1
09296f032a50de7b398018f28ee8086da915aebd

SHA256
2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045

SHA512
4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\pyscylla.cp311-win_amd64.pyd

Filesize
458KB

MD5
bb134078c74d840020ed06c9d78473ad

SHA1
ea77a6990327bacd1d90c25178c9e9eee6f13f6b

SHA256
70512f3a603eecff58005b7fe81490e62bf2e5054fee41384185f08f08b12ab1

SHA512
4da284ca0f9327fef6c4a4be499bbef00cae7865a3072db38071d63431a849ca281bd44ad80bd30676361081dd1f3c0d91ae5c53d6f5a450e570a48a3a447c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\python3.DLL

Filesize
65KB

MD5
b711598fc3ed0fe4cf2c7f3e0877979e

SHA1
299c799e5d697834aa2447d8a313588ab5c5e433

SHA256
520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a

SHA512
b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\select.pyd

Filesize
29KB

MD5
c97a587e19227d03a85e90a04d7937f6

SHA1
463703cf1cac4e2297b442654fc6169b70cfb9bf

SHA256
c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf

SHA512
97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\ucrtbase.dll

Filesize
987KB

MD5
6169dac91a2ab01314395d972fc48642

SHA1
a8d9df6020668e57b97c01c8fd155a65218018af

SHA256
293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e

SHA512
5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\unicodedata.pyd

Filesize
1.1MB

MD5
aa13ee6770452af73828b55af5cd1a32

SHA1
c01ece61c7623e36a834d8b3c660e7f28c91177e

SHA256
8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb

SHA512
b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51362\unicorn\lib\unicorn.dll

Filesize
4.1MB

MD5
ac83172d51680cb603835f55f6bc54c0

SHA1
fcf9e4c6b57ce161c548d1b488a9db3adce29be0

SHA256
e9a7755b101d8b9dcdf2603fa099e0c86d7f2d5f791073b541f8931df3d2b7de

SHA512
83799b4dbb526d4cc44c9ed8db6390139161e39629c9168907ae931809d1e3b29e7dc655d1408362f78931f541b6ed9931e47ddc15bf2462d07449af70c5c175

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\._cache_FileGrab.exe

Filesize
49KB

MD5
27f87ebebb071afec1891e00fd0700a4

SHA1
fbfc0a10ecf83da88df02356568bcac2399b3b9d

SHA256
11b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9

SHA512
5386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\New folder (2)\tWWirfQzHUpgWSeHyp

Filesize
33KB

MD5
1898ceda3247213c084f43637ef163b3

SHA1
d04e5db5b6c848a29732bfd52029001f23c3da75

SHA256
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

SHA512
84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma

Filesize
4.0MB

MD5
6f64ca90f4dde19acccc01c1a5f75978

SHA1
f7d358f39d48f34000c78b43063678fa9a7128af

SHA256
1da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b

SHA512
cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\nmew\f_00004b

Filesize
1.2MB

MD5
3ad1246ad83b3da15cb79566f692e912

SHA1
731b4fe9a0cad4259de8287bb03055abeb3028f7

SHA256
da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893

SHA512
a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif

Filesize
43B

MD5
325472601571f31e1bf00674c368d335

SHA1
2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a

SHA256
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b

SHA512
717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\UD Proccess Hacker\Process Hacker\plugins\DUP.exe

Filesize
2.3MB

MD5
04522c0d75b3a49d1a1f2295d7baa498

SHA1
f04f4908b3c7fa9af0f01177564cbf6070f031e4

SHA256
a956b4c5f7add385e7b68752185746d5ecbe933fde77eae2eb44432685296a06

SHA512
3b0bfe0a9f48f7a8d98c8569119148936b46e3253f549cf5d4565bec792123ae7de85be925de8501a9e3b3840c1bce4f198e9a0d38209ed57a32192c9f68f7b0

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\UD\x64\Reverse x64.ini

Filesize
47KB

MD5
97f48bb67a20a16f0a06788c5cd0c7cd

SHA1
a68643027106314c5f6a5492e60755693af3f257

SHA256
6a091ad252b3b946a12e1f8eb55648a8c019b40ada187b85fd589f4f1ae1bafc

SHA512
47d7d795d09977adf04d9bb5b2806c647925747fde3dc2f6e5a4d644936e094003bb10ee3b8f30e9b0acf96b5b203c90956d8b0069dbcb00bac6ab71763c8aec

Download Submit
C:\Users\Admin\Downloads\Cracking Tools\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe

Filesize
47.2MB

MD5
69e2318d24da523c4d6623385a81f201

SHA1
62f8fbf59fabad8052dc215fc6f7527d7fd4e33f

SHA256
33c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955

SHA512
ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632

Download Submit
memory/2452-2939-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2452-2840-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3584-2728-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/5012-2787-0x00007FF866190000-0x00007FF8661A0000-memory.dmp

Filesize
64KB

Download
memory/5012-2789-0x00007FF866190000-0x00007FF8661A0000-memory.dmp

Filesize
64KB

Download
memory/5012-2790-0x00007FF866190000-0x00007FF8661A0000-memory.dmp

Filesize
64KB

Download
memory/5012-2788-0x00007FF866190000-0x00007FF8661A0000-memory.dmp

Filesize
64KB

Download
memory/5012-2791-0x00007FF866190000-0x00007FF8661A0000-memory.dmp

Filesize
64KB

Download
memory/5012-2793-0x00007FF8638D0000-0x00007FF8638E0000-memory.dmp

Filesize
64KB

Download
memory/5012-2792-0x00007FF8638D0000-0x00007FF8638E0000-memory.dmp

Filesize
64KB

Download