Analysis
-
max time kernel
791s -
max time network
784s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15/01/2025, 04:33
Behavioral task
behavioral1
Sample
Downloads.rar
Resource
win10ltsc2021-20250113-en
General
-
Target
Downloads.rar
-
Size
234.8MB
-
MD5
8b3aaaccd8a5144c2353269608efa782
-
SHA1
e9bd551725403a0938404d599d19b2328b45d5eb
-
SHA256
4703a486b7b3cc3ea426bfba5247bba27e608df3bb6bb3f02c5d385acde46112
-
SHA512
b25834eddcc2751991908df42c6615115d2f455c3a7d15077328870c67011d924604e402e56f2d09c9cd8d99898906eb348f9e630d05770f7bcc223741f80892
-
SSDEEP
6291456:xoS5S1mHkSm2Ke1yEIev8MnUtHQCblJM0nHI5o:e4S1282d1yEBUMnCQCwcHIi
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions disk spoofer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions disk spoofer.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools disk spoofer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools disk spoofer.exe -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x0007000000047019-6634.dat net_reactor behavioral1/memory/3720-6636-0x0000020A03E90000-0x0000020A03F6A000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion disk spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion disk spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion disk spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion disk spoofer.exe -
Executes dropped EXE 26 IoCs
pid Process 1544 1337.exe 4724 dumper.exe 1736 dumper.exe 3720 disk spoofer.exe 2520 disk spoofer.exe 668 rtg.exe 2012 rtg.exe 3440 rtg.exe 1376 FileGrab.exe 3792 PE-bear.exe 1188 PE-bear.exe 3932 pestudio.exe 3008 unlicense.exe 5092 unlicense.exe 3648 unlicense x32.exe 4300 unlicense x32.exe 4440 unlicense x32.exe 1056 unlicense x32.exe 2208 VMPDump.exe 2532 VMPDump.exe 2204 VMPDump.exe 2740 PIDGet.exe 2900 pssuspend.exe 2360 pssuspend64.exe 2080 pssuspend64.exe 764 rtg.exe -
Loads dropped DLL 64 IoCs
pid Process 3792 PE-bear.exe 3792 PE-bear.exe 3792 PE-bear.exe 3792 PE-bear.exe 3792 PE-bear.exe 3792 PE-bear.exe 1188 PE-bear.exe 1188 PE-bear.exe 1188 PE-bear.exe 1188 PE-bear.exe 1188 PE-bear.exe 1188 PE-bear.exe 3932 pestudio.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 5092 unlicense.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe 4300 unlicense x32.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0007000000047019-6634.dat agile_net behavioral1/memory/3720-6636-0x0000020A03E90000-0x0000020A03F6A000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 31 discord.com 32 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 api.ipify.org 30 api.ipify.org -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum disk spoofer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 disk spoofer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum disk spoofer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 disk spoofer.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e861ca19-589b-445b-8f57-167c5fff41a3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250115044530.pma setup.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000047016-6954.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unlicense x32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unlicense x32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unlicense x32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pssuspend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileGrab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unlicense x32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 62 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = 00000000ffffffff PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\MRUListEx = ffffffff PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 68003100000000002f5a77231000435241434b497e310000500009000400efbe2f5aa7242f5aac242e0000005f610400000028000000000000000000000000000000aaf2a90043007200610063006b0069006e006700200054006f006f006c0073003200000018000000 PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 = 8a003100000000005c59938c100050452d4245417e312e305f5100006e0009000400efbe2f5aab242f5aac242e000000016e0400000007000000000000000000000000000000e5f00301500045002d0062006500610072005f0030002e0037002e0030005f007100740035005f007800360034005f00770069006e005f00760073003100390000001c000000 PE-bear.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\NodeSlot = "13" PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 660031000000000052594a841000435241434b497e3100004e0009000400efbe2f5aa7242f5aac242e00000060610400000028000000000000000000000000000000ef63280143007200610063006b0069006e006700200054006f006f006c007300000018000000 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "14" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 PE-bear.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 66003100000000005c59948c1000435241434b497e3100004e0009000400efbe2f5aa7242f5aac242e00000061610400000028000000000000000000000000000000eb7acf0043007200610063006b0069006e006700200054006f006f006c007300000018000000 PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell PE-bear.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Generic" PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell PE-bear.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 PE-bear.exe Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 PE-bear.exe Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU PE-bear.exe Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 PE-bear.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3792 PE-bear.exe 1188 PE-bear.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4724 dumper.exe 4724 dumper.exe 3720 disk spoofer.exe 3720 disk spoofer.exe 2520 disk spoofer.exe 2520 disk spoofer.exe 2520 disk spoofer.exe 2520 disk spoofer.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 668 rtg.exe 668 rtg.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 2012 rtg.exe 2012 rtg.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 2520 disk spoofer.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4140 7zFM.exe 4952 taskmgr.exe 3792 PE-bear.exe 1188 PE-bear.exe 3932 pestudio.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeRestorePrivilege 4140 7zFM.exe Token: 35 4140 7zFM.exe Token: SeSecurityPrivilege 4140 7zFM.exe Token: SeDebugPrivilege 4724 dumper.exe Token: SeDebugPrivilege 1736 dumper.exe Token: SeDebugPrivilege 3720 disk spoofer.exe Token: SeDebugPrivilege 2520 disk spoofer.exe Token: SeDebugPrivilege 668 rtg.exe Token: SeDebugPrivilege 4952 taskmgr.exe Token: SeSystemProfilePrivilege 4952 taskmgr.exe Token: SeCreateGlobalPrivilege 4952 taskmgr.exe Token: SeDebugPrivilege 2012 rtg.exe Token: SeDebugPrivilege 3440 rtg.exe Token: 33 4952 taskmgr.exe Token: SeIncBasePriorityPrivilege 4952 taskmgr.exe Token: SeDebugPrivilege 764 rtg.exe Token: SeRestorePrivilege 4776 7zG.exe Token: 35 4776 7zG.exe Token: SeSecurityPrivilege 4776 7zG.exe Token: SeSecurityPrivilege 4776 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4140 7zFM.exe 4140 7zFM.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3792 PE-bear.exe 1188 PE-bear.exe 1188 PE-bear.exe 3932 pestudio.exe 3932 pestudio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 700 wrote to memory of 3080 700 cmd.exe 93 PID 700 wrote to memory of 3080 700 cmd.exe 93 PID 700 wrote to memory of 4296 700 cmd.exe 94 PID 700 wrote to memory of 4296 700 cmd.exe 94 PID 2464 wrote to memory of 4988 2464 cmd.exe 97 PID 2464 wrote to memory of 4988 2464 cmd.exe 97 PID 2464 wrote to memory of 2944 2464 cmd.exe 98 PID 2464 wrote to memory of 2944 2464 cmd.exe 98 PID 3792 wrote to memory of 1188 3792 PE-bear.exe 128 PID 3792 wrote to memory of 1188 3792 PE-bear.exe 128 PID 3008 wrote to memory of 5092 3008 unlicense.exe 132 PID 3008 wrote to memory of 5092 3008 unlicense.exe 132 PID 5092 wrote to memory of 5056 5092 unlicense.exe 133 PID 5092 wrote to memory of 5056 5092 unlicense.exe 133 PID 3648 wrote to memory of 4300 3648 unlicense x32.exe 136 PID 3648 wrote to memory of 4300 3648 unlicense x32.exe 136 PID 3648 wrote to memory of 4300 3648 unlicense x32.exe 136 PID 4300 wrote to memory of 4224 4300 unlicense x32.exe 137 PID 4300 wrote to memory of 4224 4300 unlicense x32.exe 137 PID 4300 wrote to memory of 4224 4300 unlicense x32.exe 137 PID 4440 wrote to memory of 1056 4440 unlicense x32.exe 140 PID 4440 wrote to memory of 1056 4440 unlicense x32.exe 140 PID 4440 wrote to memory of 1056 4440 unlicense x32.exe 140 PID 1056 wrote to memory of 2012 1056 unlicense x32.exe 141 PID 1056 wrote to memory of 2012 1056 unlicense x32.exe 141 PID 1056 wrote to memory of 2012 1056 unlicense x32.exe 141 PID 1004 wrote to memory of 4064 1004 msedge.exe 163 PID 1004 wrote to memory of 4064 1004 msedge.exe 163 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164 PID 1004 wrote to memory of 4008 1004 msedge.exe 164
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4140
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2296
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat1⤵PID:1984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat" "1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\system32\openfiles.exeopenfiles2⤵PID:3080
-
-
C:\Windows\system32\certutil.execertutil -addstore "Root" "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt"2⤵PID:4296
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat"1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\openfiles.exeopenfiles2⤵PID:4988
-
-
C:\Windows\system32\certutil.execertutil -addstore "Root" "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt"2⤵PID:2944
-
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe"1⤵
- Executes dropped EXE
PID:1544
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
C:\Users\Admin\Desktop\disk spoofer.exe"C:\Users\Admin\Desktop\disk spoofer.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
C:\Users\Admin\Desktop\disk spoofer.exe"C:\Users\Admin\Desktop\disk spoofer.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4952
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\ownerid & secret fetcher\fetcher.log1⤵PID:3452
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3932
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:5056
-
-
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"1⤵
- Executes dropped EXE
PID:2208
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"1⤵
- Executes dropped EXE
PID:2532
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"1⤵
- Executes dropped EXE
PID:2204
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe"1⤵
- Executes dropped EXE
PID:2740
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"1⤵
- Executes dropped EXE
PID:2360
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"1⤵
- Executes dropped EXE
PID:2080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffff1f246f8,0x7ffff1f24708,0x7ffff1f247182⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:82⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:2808 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff782bb5460,0x7ff782bb5470,0x7ff782bb54803⤵PID:2004
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:82⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:12⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:22⤵PID:4044
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4648
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap3216:906:7zEvent21974 -ad -saa -- "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5501a25f290332c25255eaaf70ee6f240
SHA123cba10495d7098ad6de6936cf31c1b0eefd1246
SHA256420c031363bcb69b4cc540b0afad7180d21b4957a2d6eabe23a40e669aeeebcc
SHA51284ba813e4036be7d9fa08d5fab885421017d008f8fe8d99f56313b54f490c9151a27a67734bb17101691df563efef7e5379250f476e869a848f225786a913081
-
Filesize
152B
MD54c2eb126a03012e4645cbf12fa576adb
SHA1f4fc0dbbe2fca0aab23014eeee6d533aad91b5fb
SHA256ce9774b847a66f7dce4153518d56469986dedfe78acbcca8e97a64d21df5a1ec
SHA51240008285483a37d186c6feaaea96e92f8d665193eb2cd4af0ccd2e77544fa2afedd8aa89b8f09e49e1d6960cbe8543389151d2413c8be408794b70da0eb122e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ef80423-6e60-4c11-b2a6-2128fb8735f2.tmp
Filesize24KB
MD5ef30b5850d78b050b13ae82ee13c6b28
SHA125bcd922ab2c62d47c9bfac3fafcca08317ad8e5
SHA256dfd732ede1af0d6dc560b9fbef26f92f9fdf83a72da3e6910cb39843be4fed30
SHA512f9bdbddff6fe99cacf3a670ab5504849668c9049053eca2a4b51f74eb050ea4d60629ce29a571223b1cf293101d646067f9f00e4fb3039738921e1c042419f8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD55ded83fd632c71faeddd45a56aee167e
SHA1d59bab7c90c4c0b199111a0c2a53302883da5a44
SHA256a77c5a41d6e14c79286a796cc65ec6087dd93d9cfaa948f5440b646fce4831ef
SHA512f649d56b9f6c5ca03346bf7e4fdb7d59ddeb92fbc42b6c65dedeb00b60a0615dae49c197964bde769c7b162203be8b0fe02a814988963205e65d755bf56e756d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD50a3e5c57f1118a9a917da5550c221af9
SHA1f0c971acf10e4176e9d6f4864bcc78f5df33329c
SHA256373c4ea25dfc99437a2c05a3a7dd968b292debd9d8e585f662d8dd7971428659
SHA51259bd5095f47f991b993aba7f3151a1b41326189ab0355d0157e0d843b31d7c9ded17c24244afe711b19abeb6f1b7811aed0b221e1ecb391759c8e1683f2a6e42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD528db184439a9340e826aa4de4806627b
SHA19d2800c68758c72789a3b00c6d1a2005ea6bd367
SHA256d028b6ed5f56d2a4faba4f0a8ae81ef0bff022a99d27582516d06dca0b736cfa
SHA5125ebbba421683a4de476b5d73523ca15a133079198417de133d004d39d12470f08e90c093237fb960ddeabcc6fc92bbf274239cb54c763f54af811f3f84e0da7c
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
539B
MD52e4f9595b536ad470285e7c7c8b23a9f
SHA18a44c7d3dfd9f38e6aaa4df1900c9d7b3b20f72a
SHA2569f9a9b7437c96c7f68730deaa9f22a8409a6af82283ca29335f8b7e3e9e2081e
SHA512a7a29902792f0eb02222f6c19bed56567dd3682e4db9ad8acb1620cb95a88ea4738a42dca109b2bb82368cd33dbde5b3e263d928d229dd02ac06ab62eab64748
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe6106e5.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD54ba8f857e340312462fcebaa8e0e8cab
SHA1826bd824433f3b38c466b46e65f846402516b5f8
SHA2563bc5f5cde97c4a0cf198fdb0b97157c9b8b45372916f4657c7a847696fe17e9c
SHA51270ed1ca5a492d4b2cc70421b4470a16fde8b6a36c4701f554d44c1ea777e79aa0531842fe2adf613f129083d0dd806610dfd1f37cd13385a8ee91af72555ca97
-
Filesize
5KB
MD5e72d1293485e93c67a0454d1f205f1cd
SHA17cf77d04ebf2589f9c1ee1d6f7001029ace92948
SHA25660925981fb231c356d5a7c44b821530adb226257517d43508a822e1e3604c32b
SHA51274eccb1308e3186a63ff937e2fd0d136c7bf46f1025643beca579d70fbaa3e45810fd5e9597cfda234ef7a4260b331aaf2cadb299ea076c462324392c57e9852
-
Filesize
4KB
MD513b52959dead8f4d25a4ed5f847207e3
SHA1ca4be2942f4ad6f3192dbbfaa258e034aec78b45
SHA2567751e55ca85d17d52557bf029407c82086fb3197f052243805d05dc132add6c9
SHA5120ab87d909b2e81dfc1ec9feb5adf2b7249ee8cc6e8dbdf2795433cb3398d600fa1aed623e9c279f9b8351374ae9b06331bd4cf045d14a0960f7a8d5de4219fff
-
Filesize
5KB
MD5d2e278c1baa069779e7beffe3ca08d04
SHA1dd218eb3cf151a6d4cefcc3b86573800f0752afb
SHA2562510a4b3579d46fefb3d0a56c31beca7071808c54a508f42520a674ef0cb5ac8
SHA51201615184148924b5965701d1ec632315a49b45244bd26056de134b4e2bc1d7eb92661be046ccff090a44b416d40e79134f075ca8f02ca8ac38abf5a6aabb8675
-
Filesize
24KB
MD594ce4b2ff0abce6d838ac24a1b0f4e73
SHA102f4a956ed4f2e2e0ca9c4b75bf8e7245a1cec88
SHA25606180545891f02875414f56a2a8ca3f21c2f415e03644674cff1c9674cb9b222
SHA512b3bf05777fa4abbd7c475657dea5ca9c00600ab6226843150eff563837c3232c3b513afc0ac5ff1976e35979a51f34710ab74582d1316282bdcb67cc17493c90
-
Filesize
538B
MD551029537075f0fb208b7f4c22dc1b0f1
SHA14b3d530a449d0bad73ac04c8a82f0af542d26ed2
SHA2569a9fccf3c06fd9448ce47271dafd98291e46fb2b6f682c79c1659c2dc666c7df
SHA512b5c544ba9f7a399e6a555e914c17b2fece78f5f73be1f547f14170c0766050b0b7b6f9c3f8afcba08f3384914bd96a087c1d4b54b727fd87e04ceea0631b2e8b
-
Filesize
370B
MD5030ed795e95fc93175ac626e7ea0e2dd
SHA1c0d3a6239d9d7f28c8f9f7dddb75fc10825159d7
SHA256c00477f3b293cdb88de97ad2cf3f66db18f2b1415e292c34c09ccd8d6fa51539
SHA512f8998ec883152dcffec70a449b65d9882597988bae7272f68545f3eb8d983e35e9ef452b74ad821299e05d26f02ebb9535234c94ed3281f234d7df194ee1285c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
10KB
MD5b12e14866070aba729151513b81cde8f
SHA1af010ac7ddb67a4946b8db2bdb36bddb34c7b711
SHA2567970a0aed6161802e7925fac5282add6dde9d1c77944b5ca8c365c0a82b4f54c
SHA512ef8cefaa8dc9fabde44d511a30fc59131aa73134cbc146e770aa7a99bf0185938ee78d847529bca7c711229adabb143926418971c0383178c49482bf6ddc171a
-
Filesize
10KB
MD58b29f80286830ae6cd8d6f2ccbddc5c2
SHA1428a1b32864e1367fc5d3a280cb86cf5f822cd31
SHA25608d70545ec2a87362566a1b9160c7ebb38fe62b16f93e608db2db4c62125621e
SHA512fa69c58b8cc9ce736f7d5ae309cf2dfbf7d7d49d7c522a83d9034c065aff5e748e64f2257a43acb8af37328d1c5ab1be73c3bc1c055220cf81bc5c29b708491a
-
Filesize
8KB
MD593e16149f0b0c4dab35887280040f22c
SHA1f0c409c9a70a5ed3908e0774cd6399850e24c49c
SHA256d160f5fbde3aad5d9131553bd63f2737e5efc62de9ed5774c9542e4fda942d30
SHA51262943960861b57ecf1658b3d52855f88c59bad796efc515396795ed88d612120841877a4d2fbd0e628007f9b0aef6ada06aacc9ebf9e940f36aeb6a12cb8cfbc
-
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\New folder (2)\tWWirfQzHUpgWSeHyp
Filesize33KB
MD51898ceda3247213c084f43637ef163b3
SHA1d04e5db5b6c848a29732bfd52029001f23c3da75
SHA2564429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
SHA51284c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377
-
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma
Filesize4.0MB
MD56f64ca90f4dde19acccc01c1a5f75978
SHA1f7d358f39d48f34000c78b43063678fa9a7128af
SHA2561da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b
SHA512cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878
-
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\f_00004b
Filesize1.2MB
MD53ad1246ad83b3da15cb79566f692e912
SHA1731b4fe9a0cad4259de8287bb03055abeb3028f7
SHA256da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893
SHA512a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88
-
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif
Filesize43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\UD\x64\Reverse x64.ini
Filesize47KB
MD597f48bb67a20a16f0a06788c5cd0c7cd
SHA1a68643027106314c5f6a5492e60755693af3f257
SHA2566a091ad252b3b946a12e1f8eb55648a8c019b40ada187b85fd589f4f1ae1bafc
SHA51247d7d795d09977adf04d9bb5b2806c647925747fde3dc2f6e5a4d644936e094003bb10ee3b8f30e9b0acf96b5b203c90956d8b0069dbcb00bac6ab71763c8aec
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858
-
Filesize
987KB
MD56169dac91a2ab01314395d972fc48642
SHA1a8d9df6020668e57b97c01c8fd155a65218018af
SHA256293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e
SHA5125f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5a52cc66cc109eed229de4c00779f1590
SHA11afe3489b70b1102fbb896424f9b227c9302ec18
SHA256ad06b32e65279289a16b7db2e355a52249e66f024e494e27b42a84fda5fe0ffb
SHA5125d20fd0239634593ad45f5c66ace2fd192342116997ab7ef633b3d5f7dd7815aebf0e8b327729ff83a1f5a9b99e64dcb29dc0197734069507565c6cf506d6a24
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5869da3d836eb3fa33ee357bdfb9f5284
SHA126a19f0f4ac0926c9326fe15c91887304fc57ad1
SHA256faa9f8ec4647c6a0e96103159a1c7ce028fbdf9a44847798248b0bbf3aa552f6
SHA51264dcbbc8de6521e8fb20d79530e7838850550956ff57813b4aee958d2dcf4ac153dfeb1ae3d1fe155db2bcd622248d40a4993915e04a767127b0e14682809a8d
-
Filesize
49KB
MD527f87ebebb071afec1891e00fd0700a4
SHA1fbfc0a10ecf83da88df02356568bcac2399b3b9d
SHA25611b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9
SHA5125386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe
Filesize5.1MB
MD5bd54da575cc249f47935647c55adfb49
SHA1c100dee9ec367fbc9484e7a2f6208830af7c0d03
SHA2564d3144aeb0713616d1136416625c16f2c5a42c9198eef370b64c3f45cddc5957
SHA5126c4f8c51ba37cd8758d64144e6ce2c2f3a058ee14d07e4256d3e4fb92ceda9e242880c94e567a285cb1f63d2a75082f27d45bf6b1a1827aa46452184abf499fd
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Core.dll
Filesize5.7MB
MD5817520432a42efa345b2d97f5c24510e
SHA1fea7b9c61569d7e76af5effd726b7ff6147961e5
SHA2568d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a
SHA5128673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Gui.dll
Filesize6.7MB
MD547307a1e2e9987ab422f09771d590ff1
SHA10dfc3a947e56c749a75f921f4a850a3dcbf04248
SHA2565e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e
SHA51221b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Widgets.dll
Filesize5.2MB
MD54cd1f8fdcd617932db131c3688845ea8
SHA1b090ed884b07d2d98747141aefd25590b8b254f9
SHA2563788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358
SHA5127d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\imageformats\qico.dll
Filesize37KB
MD5a9abd4329ca364d4f430eddcb471be59
SHA1c00a629419509929507a05aebb706562c837e337
SHA2561982a635db9652304131c9c6ff9a693e70241600d2ef22b354962aa37997de0b
SHA512004ea8ae07c1a18b0b461a069409e4061d90401c8555dd23dbf164a08e96732f7126305134bfaf8b65b0406315f218e05b5f0f00bedb840fb993d648ce996756
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\platforms\qwindows.dll
Filesize1.4MB
MD54931fcd0e86c4d4f83128dc74e01eaad
SHA1ac1d0242d36896d4dda53b95812f11692e87d8df
SHA2563333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85
SHA5120396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\styles\qwindowsvistastyle.dll
Filesize140KB
MD553a85f51054b7d58d8ad7c36975acb96
SHA1893a757ca01472a96fb913d436aa9f8cfb2a297f
SHA256d9b21182952682fe7ba63af1df24e23ace592c35b3f31eceef9f0eabeb5881b9
SHA51235957964213b41f1f21b860b03458404fbf11daf03d102fbea8c2b2f249050cefbb348edc3f22d8ecc3cb8abfdc44215c2dc9da029b4f93a7f40197bd0c16960
-
Filesize
47.2MB
MD569e2318d24da523c4d6623385a81f201
SHA162f8fbf59fabad8052dc215fc6f7527d7fd4e33f
SHA25633c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955
SHA512ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt
Filesize1KB
MD5e3eff8b29b2d04da7a2e09e214f0949b
SHA134a05a3e6a8fc1710d22b9fb891f6c7a400c5701
SHA256dfea79c5653186395f8c5c06942471144d1528a2bb0a270321b1a53bcab32f58
SHA512bd7207bed45d100a522228ed21d1bee079e4cbd449369f114a9feda56d0ca7df1fc05c8451454f60b77ae27a12a1467eae667c9f1a992a9dab755dcd7f3344c5
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe
Filesize388KB
MD5abf8e6493f91c4b609b95aca7deadeed
SHA1b1e5943ee728e5ceebd4213bcd679e6406daee48
SHA256e6b06b2412176e9f9b1dc4df36edc34774e16c0e21de8d6b319ad3be6ab42b9a
SHA5126e9f9604333fabd2cf3c7cbe1defbb4c84ef0691d42d4c7ef7d3913f29052e87c566dd1f47afdb5a37d0089463e48a517ace16fa5bcd4557261832955e19eacb
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat
Filesize955B
MD50276a98b46cd55649271dd7fdacd96b5
SHA1a8005f3c25816edf2d1e78e486fc891bdcb27f3e
SHA256b1f446297da443eab61fe6156f574899526cefa95caeddc051c820d2b843850b
SHA512a66c0544cc65f15b314d88205a7207f31457c3fdb3e1c2ac12fe2854c77444aae4b1879c3c61e6a97ec1895fe4c3b1da0ad54d8e82271566bb1fbcc27000e66e
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\diwness_dumped_68.bin
Filesize4KB
MD5ca126ceeaa5549074e7701d1a5adaf55
SHA193a5835091ab3ebc6d686fc99919c77df42ff015
SHA2567d1e964d1c1b981e94acaa69d76fca471d310b22a1a157c46f62c6a95e5ffccb
SHA51284ea1e57826cfdf4c822c3989ba61cf24098f2285026ce90eca3550eb3f12964cb3304742870ae40b781e84f97daff74737b2b55f4f35961a8ff24b1406ec083
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe
Filesize52KB
MD5268b9215fb788aac11dc5700ee851cb9
SHA1490f8837a4007cee8c8c2c79b5b18f81d2485126
SHA256a48b336c2e46bb6a724b55b9c97f9b5c6b24300c72a746f2428fdd0775470783
SHA512fc341cc631322b9c65a9308e98a8d52a31c22e49b44680b14a096fc27bfcb1842dc0c8599953c20b707b76a5ba5fb81faa551fbbc4d6d1f2d836b0af204443cc
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\ownerid & secret fetcher\fetcher.log
Filesize274B
MD5999679cf427724d049349e7b79e58794
SHA12901d98f163da191e3b8a57bf00e11056166fb03
SHA2564463559ae071c1f0385cb4a6cc60decfd001811d6226747f61385bad0eafec44
SHA512596f5660f08afe8ee74b27153169a3964f3b12c6e835d325388ccfa6284ee5e466715bb1d65b0ae8df8634abb2722150369a8714c990fb462e1e819b9172d632
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\peparser.dll
Filesize1.4MB
MD52b30f638c419b06a1ab2d2877259b641
SHA10f2621f218da90d9c618443bb18f3ad0b725a5ee
SHA256915313ce47204159e31e8ff7a04f2af41f477819198b39554c4d68b39a5a1aca
SHA51241246d91e376b7747b7433e76aae9d5d56978f50a6a611b488a4ab6017efc8407b9cbeb57f86d99a89297494e3c67005a680699fa1e8e277108c254dbff6f2be
-
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe
Filesize888KB
MD5bd850d7328e8d1a5e532cd5415188c73
SHA1d0f6cb25570cd6edad588f102f05318b127a220a
SHA256a769e435bb4b699f32e39c8fe0219e5a428709b0d07c1dac9b63aa730c9fbda0
SHA5125478fed4730c228cf12bc1afb46d5750224f91b4639904cca9d3ee21eac7fd5873257013bde2a982a070f35feec6a45bcda9800d0a86a3a8ddcddbf9798b9fca
-
Filesize
848KB
MD5c3fc72c74f38bad40cbc3dfe7832530e
SHA189f0c5318a2cf4d29242b89f0b5bfb71fb956161
SHA25675c918110defb1261c5781f11fa47da18fbb00ac4850758a5fb28da2e5292d3b
SHA51291650946e015aaf9cd95a0da57ce77978a9e79701339c2a8480c19f404a16e0b82a33c11795b6c8e571052a4dc11d4503155efe488743b43ac2db5bff8a5aac4
-
Filesize
154KB
MD582b200c3ae6d1e7eee7a0e15ed68d571
SHA15f0b2437b9304fce9fc3ac84f9f8d7b79f47c7b6
SHA256e2c2b48c49eb4a71c8d5ae43b818bfed41404f199d6d50960bec9853d0e50562
SHA5127de4b503f2a75a640d03ccdf0612113c608e26f4f66c305d73e9afbe32770d343c7d976befd7686eacfd2109eef5841a236cc743dc70a2fa29177ee3bd6a8420
-
Filesize
1KB
MD5b5d7874bab86954fd02bec29ed18e7af
SHA16c734db5bbe940e4ae3ca14ef37f462d2548acea
SHA256f981c26cff1a3ea2c23effb85c3155fe01da590603d6bed8d17dd0c962d2c6e4
SHA512a2e934ab5ec4998e1a7b02d8427fc44246e35c7bc851e6d94db1d1e456dbce5809da4bdf8ff00257bf164b9bd7bd7cf15de19b9129284925a24ed1d1646e3c5d
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\functions.xml
Filesize434KB
MD52f76771b12ec93863ff7a7cb46d214cf
SHA1db69fc2575c2765b38f1e69953b38eb6c047157d
SHA2563395b3d7503470555043e0281a075689221b35e401e6b8e243acea1d6f09e5e4
SHA512b118b248e42d7343665be2b7f032af6c57678726c5002474937e33f0dd72d38108bfc95e96c995911a13b9bb7031fd2957d1ff5103d00493f9f5dc25f7fcb0c1
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\indicators.xml
Filesize16KB
MD5c24c172d203170da0841a99829cf3e14
SHA1477606e26edca415e2ac29d2233b88565927f39c
SHA2568cc49f33ecfcce4f4e027cb4c6d24701c3b56c7b71f0f5ea60402167baa06b6a
SHA512ccbc38ccd036ebf0138972fb6b2ab2e70e03f9c1397cc973a84ff1eb1235eba48fbe6488ef6729f122a3aa0e0402a512ccf6a43f94a5c97624adab8e60b54695
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\languages.xml
Filesize16KB
MD570f5461a0f51a8d954772802795b9e1c
SHA13ba8614bb2ef62e51bd905d53904092b77f34dfb
SHA25669aa80a4e4d3f6388b673cb6e7fbb21e8a52f5c47177082beca24aa3db756508
SHA512a09f23a8915e3cdc003d5e3a4f8b7fd9b99f72a72ba25dce39cffefab567fdb83c909989e481abb2416ffacaaa484c4773433c202ac9bf75c9e9e8149504e1ec
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\mitre.xml
Filesize22KB
MD51399464d9449e6d2acf50ff291ca4c50
SHA1ece2e5f0bf2004b475e83b88205422bcae8884cf
SHA2564b4e8c1b269ed962462a1bea47f74f7747f2c35bc53d813ee019d6d7944d1cac
SHA5129a8738ee7deed212aa0295f974fd14c996d5fa5fb74490c6e13e70a06ac6c24584262872d5bbe342b448d6fb43d4dfa06f9f84fb6b0070d35730ab6beab1666f
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\namespaces.xml
Filesize6KB
MD5a9d75e1988f5c72f18c55b6cd50179e5
SHA130507ad1b9b99f11e3d243183774c5d4c13113d4
SHA256c8185f0cd30e3ad48f78e11a42e48b330f9e8155066d181d4fd18db4568c1c3b
SHA5127d316f60665c435b9fdea7c1a4534acdef784730757f9f8c0f3da1e102d0d8e33574fe18f9655c5f103d1a810cc4a6ae7832cb3e6dcffe7b3cef299d42384212
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\rich.xml
Filesize35KB
MD57e890ec434de406b0ee6a7e0ee289804
SHA1fe65fcc8367f01bfed7455a32681a884cab5345e
SHA2561201faefe571a70d7d4649638717a9a99341cb3455caa1155439af05d0b4ddc7
SHA51283a92d3f533df64d3e8f885f3a3ccd7910242a0387223e01121a00bd0339cdc840b97984c1e9d69b6a2a6b8830f5ea95cc9ab16dfa2f65c137e18cfba5800df7
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\settings.xml
Filesize9KB
MD5ad522c71927765d5eb0abd8f51c9d113
SHA190b6795634f28c7fa44371094bfa53df3ecd3e31
SHA2565d6bb1158eb3deb57922764452bcacc143528b407c6c09b28af70afbaa1014b7
SHA5123c017048d338641966f914846e012e268a7376fdc44e2e21dd9fe06febd95945fda7e9ccf285566df8e43f442e68a4e1154e30f4c1f42bd4d279b8bf8fb973db
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\signatures.xml
Filesize369KB
MD574fa8cde79c65e8c946435e82b435b1b
SHA16fc08deaa81c8d659b089f71e41a105f0d7d57cd
SHA2568272a8617b6a5df3e7a35679127c929cbb83d98c6dd01fe86fe7064d23f655b9
SHA5126ad623d90023eab366a4197a65d86e04c5f59ea33add0a3d576f98b032349049e4c358f405ea29cf15aab36fddc2d60f0d3f16e2b3f18b57314f5c43b3f064e2
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\strings.xml
Filesize63KB
MD5897ad35c847b8c24b6d6ce704f20bc64
SHA183efa9d60a9122b52579f583f32fbc0f8d337bf1
SHA2568747d8fc0bd12cdfb34800ca73e468f0b2f0e5feaaf7779d5b33f8904ed85055
SHA512598b9d30b34acaf4b8f1bd32973b88ca1c96a9add029b24746d49103e995678b2b56adc3357e20de097075366e8e96ced777bcfe2af42255d1fcd966d2288946
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\thresholds.xml
Filesize2KB
MD5aac239f529031c9d30204b1957fbf73f
SHA1b0637f58fe9b5f29629df457f4bcf62c8fb061e0
SHA256eae66d8ad576934f6af9edad5882bcdcf752b5dc9e68838565c0523a1f100bca
SHA5125146bc899dea08f49f5058714a12cf7a5910ea3bfa4ad24f0da53ed841f99961f54eb3f1527364226cb9df99e1acd9ffafd019ba44a6baad2510b62fbd40bccf
-
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\translations.xml
Filesize41KB
MD5f8f91bd6d493ceb50b2135eb65bfe1ce
SHA1af72780f22aaed9bffbf2e8d907bf0b14af8996f
SHA25611341d6720dcf3445c507331b159c79ed7a502f7aa7bcbde29ab271b2b5dcb0d
SHA512b0c015efd68ae6b03adae65aa9e0b1b512fddb99f60c1488048c26c6975963b4a46625586a86f4e8730a4ed76a9121af5c5c451f23cdb3e22d1d706f4aee1c2f