Malware Analysis Report

2025-05-28 16:49

Sample ID 250115-e6s5gssrcj
Target Downloads.rar
SHA256 4703a486b7b3cc3ea426bfba5247bba27e608df3bb6bb3f02c5d385acde46112
Tags
pyinstaller agilenet discovery evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4703a486b7b3cc3ea426bfba5247bba27e608df3bb6bb3f02c5d385acde46112

Threat Level: Likely malicious

The file Downloads.rar was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller agilenet discovery evasion

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Drops file in Drivers directory

Obfuscated with Agile.Net obfuscator

Checks BIOS information in registry

.NET Reactor proctector

Loads dropped DLL

Executes dropped EXE

Maps connected drives based on registry

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Detects Pyinstaller

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 04:36

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 04:33

Reported

2025-01-15 04:50

Platform

win10ltsc2021-20250113-en

Max time kernel

791s

Max time network

784s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\Desktop\disk spoofer.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\cmd.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\Desktop\disk spoofer.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\disk spoofer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Desktop\disk spoofer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\Desktop\disk spoofer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e861ca19-589b-445b-8f57-167c5fff41a3.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250115044530.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 68003100000000002f5a77231000435241434b497e310000500009000400efbe2f5aa7242f5aac242e0000005f610400000028000000000000000000000000000000aaf2a90043007200610063006b0069006e006700200054006f006f006c0073003200000018000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 = 8a003100000000005c59938c100050452d4245417e312e305f5100006e0009000400efbe2f5aab242f5aac242e000000016e0400000007000000000000000000000000000000e5f00301500045002d0062006500610072005f0030002e0037002e0030005f007100740035005f007800360034005f00770069006e005f00760073003100390000001c000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\NodeSlot = "13" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 660031000000000052594a841000435241434b497e3100004e0009000400efbe2f5aa7242f5aac242e00000060610400000028000000000000000000000000000000ef63280143007200610063006b0069006e006700200054006f006f006c007300000018000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "14" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 66003100000000005c59948c1000435241434b497e3100004e0009000400efbe2f5aa7242f5aac242e00000061610400000028000000000000000000000000000000eb7acf0043007200610063006b0069006e006700200054006f006f006c007300000018000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\disk spoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 700 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\openfiles.exe
PID 700 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\openfiles.exe
PID 700 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 700 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2464 wrote to memory of 4988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\openfiles.exe
PID 2464 wrote to memory of 4988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\openfiles.exe
PID 2464 wrote to memory of 2944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2464 wrote to memory of 2944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3792 wrote to memory of 1188 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe
PID 3792 wrote to memory of 1188 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe
PID 3008 wrote to memory of 5092 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
PID 3008 wrote to memory of 5092 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
PID 5092 wrote to memory of 5056 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe C:\Windows\system32\cmd.exe
PID 5092 wrote to memory of 5056 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe C:\Windows\system32\cmd.exe
PID 3648 wrote to memory of 4300 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
PID 3648 wrote to memory of 4300 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
PID 3648 wrote to memory of 4300 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
PID 4300 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 4224 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 1056 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
PID 4440 wrote to memory of 1056 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
PID 4440 wrote to memory of 1056 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
PID 1056 wrote to memory of 2012 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 2012 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 2012 N/A C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1004 wrote to memory of 4008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat" "

C:\Windows\system32\openfiles.exe

openfiles

C:\Windows\system32\certutil.exe

certutil -addstore "Root" "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat"

C:\Windows\system32\openfiles.exe

openfiles

C:\Windows\system32\certutil.exe

certutil -addstore "Root" "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"

C:\Users\Admin\Desktop\disk spoofer.exe

"C:\Users\Admin\Desktop\disk spoofer.exe"

C:\Users\Admin\Desktop\disk spoofer.exe

"C:\Users\Admin\Desktop\disk spoofer.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\ownerid & secret fetcher\fetcher.log

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffff1f246f8,0x7ffff1f24708,0x7ffff1f24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff782bb5460,0x7ff782bb5470,0x7ff782bb5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe

"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap3216:906:7zEvent21974 -ad -saa -- "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.69.228:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
SE 16.171.200.5:443 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
GB 95.101.143.201:443 www.bing.com tcp
GB 95.101.143.201:443 www.bing.com tcp
US 8.8.8.8:53 201.143.101.95.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gofile.io udp
FR 51.91.7.6:80 gofile.io tcp
FR 51.91.7.6:80 gofile.io tcp
FR 51.91.7.6:443 gofile.io tcp
US 8.8.8.8:53 6.7.91.51.in-addr.arpa udp
US 8.8.8.8:53 s.gofile.io udp
US 8.8.8.8:53 api.gofile.io udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.91.7.6:443 api.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 210.242.75.51.in-addr.arpa udp
US 8.8.8.8:53 store2.gofile.io udp
FR 45.112.123.239:443 store2.gofile.io tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 239.123.112.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\New folder (2)\tWWirfQzHUpgWSeHyp

MD5 1898ceda3247213c084f43637ef163b3
SHA1 d04e5db5b6c848a29732bfd52029001f23c3da75
SHA256 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
SHA512 84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma

MD5 6f64ca90f4dde19acccc01c1a5f75978
SHA1 f7d358f39d48f34000c78b43063678fa9a7128af
SHA256 1da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b
SHA512 cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878

C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\f_00004b

MD5 3ad1246ad83b3da15cb79566f692e912
SHA1 731b4fe9a0cad4259de8287bb03055abeb3028f7
SHA256 da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893
SHA512 a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88

C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif

MD5 325472601571f31e1bf00674c368d335
SHA1 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256 b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\UD\x64\Reverse x64.ini

MD5 97f48bb67a20a16f0a06788c5cd0c7cd
SHA1 a68643027106314c5f6a5492e60755693af3f257
SHA256 6a091ad252b3b946a12e1f8eb55648a8c019b40ada187b85fd589f4f1ae1bafc
SHA512 47d7d795d09977adf04d9bb5b2806c647925747fde3dc2f6e5a4d644936e094003bb10ee3b8f30e9b0acf96b5b203c90956d8b0069dbcb00bac6ab71763c8aec

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat

MD5 0276a98b46cd55649271dd7fdacd96b5
SHA1 a8005f3c25816edf2d1e78e486fc891bdcb27f3e
SHA256 b1f446297da443eab61fe6156f574899526cefa95caeddc051c820d2b843850b
SHA512 a66c0544cc65f15b314d88205a7207f31457c3fdb3e1c2ac12fe2854c77444aae4b1879c3c61e6a97ec1895fe4c3b1da0ad54d8e82271566bb1fbcc27000e66e

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt

MD5 e3eff8b29b2d04da7a2e09e214f0949b
SHA1 34a05a3e6a8fc1710d22b9fb891f6c7a400c5701
SHA256 dfea79c5653186395f8c5c06942471144d1528a2bb0a270321b1a53bcab32f58
SHA512 bd7207bed45d100a522228ed21d1bee079e4cbd449369f114a9feda56d0ca7df1fc05c8451454f60b77ae27a12a1467eae667c9f1a992a9dab755dcd7f3344c5

C:\Windows\System32\drivers\etc\hosts

MD5 b5d7874bab86954fd02bec29ed18e7af
SHA1 6c734db5bbe940e4ae3ca14ef37f462d2548acea
SHA256 f981c26cff1a3ea2c23effb85c3155fe01da590603d6bed8d17dd0c962d2c6e4
SHA512 a2e934ab5ec4998e1a7b02d8427fc44246e35c7bc851e6d94db1d1e456dbce5809da4bdf8ff00257bf164b9bd7bd7cf15de19b9129284925a24ed1d1646e3c5d

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe

MD5 abf8e6493f91c4b609b95aca7deadeed
SHA1 b1e5943ee728e5ceebd4213bcd679e6406daee48
SHA256 e6b06b2412176e9f9b1dc4df36edc34774e16c0e21de8d6b319ad3be6ab42b9a
SHA512 6e9f9604333fabd2cf3c7cbe1defbb4c84ef0691d42d4c7ef7d3913f29052e87c566dd1f47afdb5a37d0089463e48a517ace16fa5bcd4557261832955e19eacb

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe

MD5 268b9215fb788aac11dc5700ee851cb9
SHA1 490f8837a4007cee8c8c2c79b5b18f81d2485126
SHA256 a48b336c2e46bb6a724b55b9c97f9b5c6b24300c72a746f2428fdd0775470783
SHA512 fc341cc631322b9c65a9308e98a8d52a31c22e49b44680b14a096fc27bfcb1842dc0c8599953c20b707b76a5ba5fb81faa551fbbc4d6d1f2d836b0af204443cc

C:\Users\Admin\Desktop\disk spoofer.exe

MD5 c3fc72c74f38bad40cbc3dfe7832530e
SHA1 89f0c5318a2cf4d29242b89f0b5bfb71fb956161
SHA256 75c918110defb1261c5781f11fa47da18fbb00ac4850758a5fb28da2e5292d3b
SHA512 91650946e015aaf9cd95a0da57ce77978a9e79701339c2a8480c19f404a16e0b82a33c11795b6c8e571052a4dc11d4503155efe488743b43ac2db5bff8a5aac4

memory/3720-6636-0x0000020A03E90000-0x0000020A03F6A000-memory.dmp

memory/3720-6637-0x0000020A04360000-0x0000020A04372000-memory.dmp

memory/4952-6642-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6641-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6640-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6652-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6651-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6650-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6649-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6648-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6647-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

memory/4952-6646-0x000001D0374D0000-0x000001D0374D1000-memory.dmp

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\diwness_dumped_68.bin

MD5 ca126ceeaa5549074e7701d1a5adaf55
SHA1 93a5835091ab3ebc6d686fc99919c77df42ff015
SHA256 7d1e964d1c1b981e94acaa69d76fca471d310b22a1a157c46f62c6a95e5ffccb
SHA512 84ea1e57826cfdf4c822c3989ba61cf24098f2285026ce90eca3550eb3f12964cb3304742870ae40b781e84f97daff74737b2b55f4f35961a8ff24b1406ec083

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\ownerid & secret fetcher\fetcher.log

MD5 999679cf427724d049349e7b79e58794
SHA1 2901d98f163da191e3b8a57bf00e11056166fb03
SHA256 4463559ae071c1f0385cb4a6cc60decfd001811d6226747f61385bad0eafec44
SHA512 596f5660f08afe8ee74b27153169a3964f3b12c6e835d325388ccfa6284ee5e466715bb1d65b0ae8df8634abb2722150369a8714c990fb462e1e819b9172d632

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe

MD5 27f87ebebb071afec1891e00fd0700a4
SHA1 fbfc0a10ecf83da88df02356568bcac2399b3b9d
SHA256 11b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9
SHA512 5386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe

MD5 bd54da575cc249f47935647c55adfb49
SHA1 c100dee9ec367fbc9484e7a2f6208830af7c0d03
SHA256 4d3144aeb0713616d1136416625c16f2c5a42c9198eef370b64c3f45cddc5957
SHA512 6c4f8c51ba37cd8758d64144e6ce2c2f3a058ee14d07e4256d3e4fb92ceda9e242880c94e567a285cb1f63d2a75082f27d45bf6b1a1827aa46452184abf499fd

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Core.dll

MD5 817520432a42efa345b2d97f5c24510e
SHA1 fea7b9c61569d7e76af5effd726b7ff6147961e5
SHA256 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a
SHA512 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Gui.dll

MD5 47307a1e2e9987ab422f09771d590ff1
SHA1 0dfc3a947e56c749a75f921f4a850a3dcbf04248
SHA256 5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e
SHA512 21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Widgets.dll

MD5 4cd1f8fdcd617932db131c3688845ea8
SHA1 b090ed884b07d2d98747141aefd25590b8b254f9
SHA256 3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358
SHA512 7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\platforms\qwindows.dll

MD5 4931fcd0e86c4d4f83128dc74e01eaad
SHA1 ac1d0242d36896d4dda53b95812f11692e87d8df
SHA256 3333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85
SHA512 0396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d

memory/3792-6923-0x00007FFFF2B90000-0x00007FFFF30D1000-memory.dmp

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\imageformats\qico.dll

MD5 a9abd4329ca364d4f430eddcb471be59
SHA1 c00a629419509929507a05aebb706562c837e337
SHA256 1982a635db9652304131c9c6ff9a693e70241600d2ef22b354962aa37997de0b
SHA512 004ea8ae07c1a18b0b461a069409e4061d90401c8555dd23dbf164a08e96732f7126305134bfaf8b65b0406315f218e05b5f0f00bedb840fb993d648ce996756

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\styles\qwindowsvistastyle.dll

MD5 53a85f51054b7d58d8ad7c36975acb96
SHA1 893a757ca01472a96fb913d436aa9f8cfb2a297f
SHA256 d9b21182952682fe7ba63af1df24e23ace592c35b3f31eceef9f0eabeb5881b9
SHA512 35957964213b41f1f21b860b03458404fbf11daf03d102fbea8c2b2f249050cefbb348edc3f22d8ecc3cb8abfdc44215c2dc9da029b4f93a7f40197bd0c16960

memory/1188-6934-0x00007FFFF2B90000-0x00007FFFF30D1000-memory.dmp

C:\Users\Admin\Desktop\spoof.exe

MD5 82b200c3ae6d1e7eee7a0e15ed68d571
SHA1 5f0b2437b9304fce9fc3ac84f9f8d7b79f47c7b6
SHA256 e2c2b48c49eb4a71c8d5ae43b818bfed41404f199d6d50960bec9853d0e50562
SHA512 7de4b503f2a75a640d03ccdf0612113c608e26f4f66c305d73e9afbe32770d343c7d976befd7686eacfd2109eef5841a236cc743dc70a2fa29177ee3bd6a8420

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe

MD5 bd850d7328e8d1a5e532cd5415188c73
SHA1 d0f6cb25570cd6edad588f102f05318b127a220a
SHA256 a769e435bb4b699f32e39c8fe0219e5a428709b0d07c1dac9b63aa730c9fbda0
SHA512 5478fed4730c228cf12bc1afb46d5750224f91b4639904cca9d3ee21eac7fd5873257013bde2a982a070f35feec6a45bcda9800d0a86a3a8ddcddbf9798b9fca

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\peparser.dll

MD5 2b30f638c419b06a1ab2d2877259b641
SHA1 0f2621f218da90d9c618443bb18f3ad0b725a5ee
SHA256 915313ce47204159e31e8ff7a04f2af41f477819198b39554c4d68b39a5a1aca
SHA512 41246d91e376b7747b7433e76aae9d5d56978f50a6a611b488a4ab6017efc8407b9cbeb57f86d99a89297494e3c67005a680699fa1e8e277108c254dbff6f2be

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\settings.xml

MD5 ad522c71927765d5eb0abd8f51c9d113
SHA1 90b6795634f28c7fa44371094bfa53df3ecd3e31
SHA256 5d6bb1158eb3deb57922764452bcacc143528b407c6c09b28af70afbaa1014b7
SHA512 3c017048d338641966f914846e012e268a7376fdc44e2e21dd9fe06febd95945fda7e9ccf285566df8e43f442e68a4e1154e30f4c1f42bd4d279b8bf8fb973db

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\translations.xml

MD5 f8f91bd6d493ceb50b2135eb65bfe1ce
SHA1 af72780f22aaed9bffbf2e8d907bf0b14af8996f
SHA256 11341d6720dcf3445c507331b159c79ed7a502f7aa7bcbde29ab271b2b5dcb0d
SHA512 b0c015efd68ae6b03adae65aa9e0b1b512fddb99f60c1488048c26c6975963b4a46625586a86f4e8730a4ed76a9121af5c5c451f23cdb3e22d1d706f4aee1c2f

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\mitre.xml

MD5 1399464d9449e6d2acf50ff291ca4c50
SHA1 ece2e5f0bf2004b475e83b88205422bcae8884cf
SHA256 4b4e8c1b269ed962462a1bea47f74f7747f2c35bc53d813ee019d6d7944d1cac
SHA512 9a8738ee7deed212aa0295f974fd14c996d5fa5fb74490c6e13e70a06ac6c24584262872d5bbe342b448d6fb43d4dfa06f9f84fb6b0070d35730ab6beab1666f

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\rich.xml

MD5 7e890ec434de406b0ee6a7e0ee289804
SHA1 fe65fcc8367f01bfed7455a32681a884cab5345e
SHA256 1201faefe571a70d7d4649638717a9a99341cb3455caa1155439af05d0b4ddc7
SHA512 83a92d3f533df64d3e8f885f3a3ccd7910242a0387223e01121a00bd0339cdc840b97984c1e9d69b6a2a6b8830f5ea95cc9ab16dfa2f65c137e18cfba5800df7

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\indicators.xml

MD5 c24c172d203170da0841a99829cf3e14
SHA1 477606e26edca415e2ac29d2233b88565927f39c
SHA256 8cc49f33ecfcce4f4e027cb4c6d24701c3b56c7b71f0f5ea60402167baa06b6a
SHA512 ccbc38ccd036ebf0138972fb6b2ab2e70e03f9c1397cc973a84ff1eb1235eba48fbe6488ef6729f122a3aa0e0402a512ccf6a43f94a5c97624adab8e60b54695

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\thresholds.xml

MD5 aac239f529031c9d30204b1957fbf73f
SHA1 b0637f58fe9b5f29629df457f4bcf62c8fb061e0
SHA256 eae66d8ad576934f6af9edad5882bcdcf752b5dc9e68838565c0523a1f100bca
SHA512 5146bc899dea08f49f5058714a12cf7a5910ea3bfa4ad24f0da53ed841f99961f54eb3f1527364226cb9df99e1acd9ffafd019ba44a6baad2510b62fbd40bccf

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\languages.xml

MD5 70f5461a0f51a8d954772802795b9e1c
SHA1 3ba8614bb2ef62e51bd905d53904092b77f34dfb
SHA256 69aa80a4e4d3f6388b673cb6e7fbb21e8a52f5c47177082beca24aa3db756508
SHA512 a09f23a8915e3cdc003d5e3a4f8b7fd9b99f72a72ba25dce39cffefab567fdb83c909989e481abb2416ffacaaa484c4773433c202ac9bf75c9e9e8149504e1ec

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\signatures.xml

MD5 74fa8cde79c65e8c946435e82b435b1b
SHA1 6fc08deaa81c8d659b089f71e41a105f0d7d57cd
SHA256 8272a8617b6a5df3e7a35679127c929cbb83d98c6dd01fe86fe7064d23f655b9
SHA512 6ad623d90023eab366a4197a65d86e04c5f59ea33add0a3d576f98b032349049e4c358f405ea29cf15aab36fddc2d60f0d3f16e2b3f18b57314f5c43b3f064e2

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\strings.xml

MD5 897ad35c847b8c24b6d6ce704f20bc64
SHA1 83efa9d60a9122b52579f583f32fbc0f8d337bf1
SHA256 8747d8fc0bd12cdfb34800ca73e468f0b2f0e5feaaf7779d5b33f8904ed85055
SHA512 598b9d30b34acaf4b8f1bd32973b88ca1c96a9add029b24746d49103e995678b2b56adc3357e20de097075366e8e96ced777bcfe2af42255d1fcd966d2288946

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\functions.xml

MD5 2f76771b12ec93863ff7a7cb46d214cf
SHA1 db69fc2575c2765b38f1e69953b38eb6c047157d
SHA256 3395b3d7503470555043e0281a075689221b35e401e6b8e243acea1d6f09e5e4
SHA512 b118b248e42d7343665be2b7f032af6c57678726c5002474937e33f0dd72d38108bfc95e96c995911a13b9bb7031fd2957d1ff5103d00493f9f5dc25f7fcb0c1

\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\namespaces.xml

MD5 a9d75e1988f5c72f18c55b6cd50179e5
SHA1 30507ad1b9b99f11e3d243183774c5d4c13113d4
SHA256 c8185f0cd30e3ad48f78e11a42e48b330f9e8155066d181d4fd18db4568c1c3b
SHA512 7d316f60665c435b9fdea7c1a4534acdef784730757f9f8c0f3da1e102d0d8e33574fe18f9655c5f103d1a810cc4a6ae7832cb3e6dcffe7b3cef299d42384212

C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe

MD5 69e2318d24da523c4d6623385a81f201
SHA1 62f8fbf59fabad8052dc215fc6f7527d7fd4e33f
SHA256 33c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955
SHA512 ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632

C:\Users\Admin\AppData\Local\Temp\_MEI30082\ucrtbase.dll

MD5 6169dac91a2ab01314395d972fc48642
SHA1 a8d9df6020668e57b97c01c8fd155a65218018af
SHA256 293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e
SHA512 5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199

C:\Users\Admin\AppData\Local\Temp\_MEI30082\python311.dll

MD5 5a5dd7cad8028097842b0afef45bfbcf
SHA1 e247a2e460687c607253949c52ae2801ff35dc4a
SHA256 a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512 e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

C:\Users\Admin\AppData\Local\Temp\_MEI30082\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 501a25f290332c25255eaaf70ee6f240
SHA1 23cba10495d7098ad6de6936cf31c1b0eefd1246
SHA256 420c031363bcb69b4cc540b0afad7180d21b4957a2d6eabe23a40e669aeeebcc
SHA512 84ba813e4036be7d9fa08d5fab885421017d008f8fe8d99f56313b54f490c9151a27a67734bb17101691df563efef7e5379250f476e869a848f225786a913081

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4c2eb126a03012e4645cbf12fa576adb
SHA1 f4fc0dbbe2fca0aab23014eeee6d533aad91b5fb
SHA256 ce9774b847a66f7dce4153518d56469986dedfe78acbcca8e97a64d21df5a1ec
SHA512 40008285483a37d186c6feaaea96e92f8d665193eb2cd4af0ccd2e77544fa2afedd8aa89b8f09e49e1d6960cbe8543389151d2413c8be408794b70da0eb122e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 13b52959dead8f4d25a4ed5f847207e3
SHA1 ca4be2942f4ad6f3192dbbfaa258e034aec78b45
SHA256 7751e55ca85d17d52557bf029407c82086fb3197f052243805d05dc132add6c9
SHA512 0ab87d909b2e81dfc1ec9feb5adf2b7249ee8cc6e8dbdf2795433cb3398d600fa1aed623e9c279f9b8351374ae9b06331bd4cf045d14a0960f7a8d5de4219fff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 94ce4b2ff0abce6d838ac24a1b0f4e73
SHA1 02f4a956ed4f2e2e0ca9c4b75bf8e7245a1cec88
SHA256 06180545891f02875414f56a2a8ca3f21c2f415e03644674cff1c9674cb9b222
SHA512 b3bf05777fa4abbd7c475657dea5ca9c00600ab6226843150eff563837c3232c3b513afc0ac5ff1976e35979a51f34710ab74582d1316282bdcb67cc17493c90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 a52cc66cc109eed229de4c00779f1590
SHA1 1afe3489b70b1102fbb896424f9b227c9302ec18
SHA256 ad06b32e65279289a16b7db2e355a52249e66f024e494e27b42a84fda5fe0ffb
SHA512 5d20fd0239634593ad45f5c66ace2fd192342116997ab7ef633b3d5f7dd7815aebf0e8b327729ff83a1f5a9b99e64dcb29dc0197734069507565c6cf506d6a24

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 869da3d836eb3fa33ee357bdfb9f5284
SHA1 26a19f0f4ac0926c9326fe15c91887304fc57ad1
SHA256 faa9f8ec4647c6a0e96103159a1c7ce028fbdf9a44847798248b0bbf3aa552f6
SHA512 64dcbbc8de6521e8fb20d79530e7838850550956ff57813b4aee958d2dcf4ac153dfeb1ae3d1fe155db2bcd622248d40a4993915e04a767127b0e14682809a8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 93e16149f0b0c4dab35887280040f22c
SHA1 f0c409c9a70a5ed3908e0774cd6399850e24c49c
SHA256 d160f5fbde3aad5d9131553bd63f2737e5efc62de9ed5774c9542e4fda942d30
SHA512 62943960861b57ecf1658b3d52855f88c59bad796efc515396795ed88d612120841877a4d2fbd0e628007f9b0aef6ada06aacc9ebf9e940f36aeb6a12cb8cfbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4ba8f857e340312462fcebaa8e0e8cab
SHA1 826bd824433f3b38c466b46e65f846402516b5f8
SHA256 3bc5f5cde97c4a0cf198fdb0b97157c9b8b45372916f4657c7a847696fe17e9c
SHA512 70ed1ca5a492d4b2cc70421b4470a16fde8b6a36c4701f554d44c1ea777e79aa0531842fe2adf613f129083d0dd806610dfd1f37cd13385a8ee91af72555ca97

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ef80423-6e60-4c11-b2a6-2128fb8735f2.tmp

MD5 ef30b5850d78b050b13ae82ee13c6b28
SHA1 25bcd922ab2c62d47c9bfac3fafcca08317ad8e5
SHA256 dfd732ede1af0d6dc560b9fbef26f92f9fdf83a72da3e6910cb39843be4fed30
SHA512 f9bdbddff6fe99cacf3a670ab5504849668c9049053eca2a4b51f74eb050ea4d60629ce29a571223b1cf293101d646067f9f00e4fb3039738921e1c042419f8e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b12e14866070aba729151513b81cde8f
SHA1 af010ac7ddb67a4946b8db2bdb36bddb34c7b711
SHA256 7970a0aed6161802e7925fac5282add6dde9d1c77944b5ca8c365c0a82b4f54c
SHA512 ef8cefaa8dc9fabde44d511a30fc59131aa73134cbc146e770aa7a99bf0185938ee78d847529bca7c711229adabb143926418971c0383178c49482bf6ddc171a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d2e278c1baa069779e7beffe3ca08d04
SHA1 dd218eb3cf151a6d4cefcc3b86573800f0752afb
SHA256 2510a4b3579d46fefb3d0a56c31beca7071808c54a508f42520a674ef0cb5ac8
SHA512 01615184148924b5965701d1ec632315a49b45244bd26056de134b4e2bc1d7eb92661be046ccff090a44b416d40e79134f075ca8f02ca8ac38abf5a6aabb8675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 28db184439a9340e826aa4de4806627b
SHA1 9d2800c68758c72789a3b00c6d1a2005ea6bd367
SHA256 d028b6ed5f56d2a4faba4f0a8ae81ef0bff022a99d27582516d06dca0b736cfa
SHA512 5ebbba421683a4de476b5d73523ca15a133079198417de133d004d39d12470f08e90c093237fb960ddeabcc6fc92bbf274239cb54c763f54af811f3f84e0da7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5ded83fd632c71faeddd45a56aee167e
SHA1 d59bab7c90c4c0b199111a0c2a53302883da5a44
SHA256 a77c5a41d6e14c79286a796cc65ec6087dd93d9cfaa948f5440b646fce4831ef
SHA512 f649d56b9f6c5ca03346bf7e4fdb7d59ddeb92fbc42b6c65dedeb00b60a0615dae49c197964bde769c7b162203be8b0fe02a814988963205e65d755bf56e756d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8b29f80286830ae6cd8d6f2ccbddc5c2
SHA1 428a1b32864e1367fc5d3a280cb86cf5f822cd31
SHA256 08d70545ec2a87362566a1b9160c7ebb38fe62b16f93e608db2db4c62125621e
SHA512 fa69c58b8cc9ce736f7d5ae309cf2dfbf7d7d49d7c522a83d9034c065aff5e748e64f2257a43acb8af37328d1c5ab1be73c3bc1c055220cf81bc5c29b708491a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 51029537075f0fb208b7f4c22dc1b0f1
SHA1 4b3d530a449d0bad73ac04c8a82f0af542d26ed2
SHA256 9a9fccf3c06fd9448ce47271dafd98291e46fb2b6f682c79c1659c2dc666c7df
SHA512 b5c544ba9f7a399e6a555e914c17b2fece78f5f73be1f547f14170c0766050b0b7b6f9c3f8afcba08f3384914bd96a087c1d4b54b727fd87e04ceea0631b2e8b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe60cc9b.TMP

MD5 030ed795e95fc93175ac626e7ea0e2dd
SHA1 c0d3a6239d9d7f28c8f9f7dddb75fc10825159d7
SHA256 c00477f3b293cdb88de97ad2cf3f66db18f2b1415e292c34c09ccd8d6fa51539
SHA512 f8998ec883152dcffec70a449b65d9882597988bae7272f68545f3eb8d983e35e9ef452b74ad821299e05d26f02ebb9535234c94ed3281f234d7df194ee1285c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0a3e5c57f1118a9a917da5550c221af9
SHA1 f0c971acf10e4176e9d6f4864bcc78f5df33329c
SHA256 373c4ea25dfc99437a2c05a3a7dd968b292debd9d8e585f662d8dd7971428659
SHA512 59bd5095f47f991b993aba7f3151a1b41326189ab0355d0157e0d843b31d7c9ded17c24244afe711b19abeb6f1b7811aed0b221e1ecb391759c8e1683f2a6e42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e72d1293485e93c67a0454d1f205f1cd
SHA1 7cf77d04ebf2589f9c1ee1d6f7001029ace92948
SHA256 60925981fb231c356d5a7c44b821530adb226257517d43508a822e1e3604c32b
SHA512 74eccb1308e3186a63ff937e2fd0d136c7bf46f1025643beca579d70fbaa3e45810fd5e9597cfda234ef7a4260b331aaf2cadb299ea076c462324392c57e9852

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2e4f9595b536ad470285e7c7c8b23a9f
SHA1 8a44c7d3dfd9f38e6aaa4df1900c9d7b3b20f72a
SHA256 9f9a9b7437c96c7f68730deaa9f22a8409a6af82283ca29335f8b7e3e9e2081e
SHA512 a7a29902792f0eb02222f6c19bed56567dd3682e4db9ad8acb1620cb95a88ea4738a42dca109b2bb82368cd33dbde5b3e263d928d229dd02ac06ab62eab64748

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe6106e5.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b