Analysis Overview
SHA256
4703a486b7b3cc3ea426bfba5247bba27e608df3bb6bb3f02c5d385acde46112
Threat Level: Likely malicious
The file Downloads.rar was found to be: Likely malicious.
Malicious Activity Summary
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Drops file in Drivers directory
Obfuscated with Agile.Net obfuscator
Checks BIOS information in registry
.NET Reactor proctector
Loads dropped DLL
Executes dropped EXE
Maps connected drives based on registry
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Enumerates physical storage devices
Browser Information Discovery
Unsigned PE
Detects Pyinstaller
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 04:36
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 04:33
Reported
2025-01-15 04:50
Platform
win10ltsc2021-20250113-en
Max time kernel
791s
Max time network
784s
Command Line
Signatures
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\System32\cmd.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\Desktop\disk spoofer.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e861ca19-589b-445b-8f57-167c5fff41a3.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250115044530.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 68003100000000002f5a77231000435241434b497e310000500009000400efbe2f5aa7242f5aac242e0000005f610400000028000000000000000000000000000000aaf2a90043007200610063006b0069006e006700200054006f006f006c0073003200000018000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 = 8a003100000000005c59938c100050452d4245417e312e305f5100006e0009000400efbe2f5aab242f5aac242e000000016e0400000007000000000000000000000000000000e5f00301500045002d0062006500610072005f0030002e0037002e0030005f007100740035005f007800360034005f00770069006e005f00760073003100390000001c000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\NodeSlot = "13" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 660031000000000052594a841000435241434b497e3100004e0009000400efbe2f5aa7242f5aac242e00000060610400000028000000000000000000000000000000ef63280143007200610063006b0069006e006700200054006f006f006c007300000018000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "14" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 66003100000000005c59948c1000435241434b497e3100004e0009000400efbe2f5aa7242f5aac242e00000061610400000028000000000000000000000000000000eb7acf0043007200610063006b0069006e006700200054006f006f006c007300000018000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat" "
C:\Windows\system32\openfiles.exe
openfiles
C:\Windows\system32\certutil.exe
certutil -addstore "Root" "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat"
C:\Windows\system32\openfiles.exe
openfiles
C:\Windows\system32\certutil.exe
certutil -addstore "Root" "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"
C:\Users\Admin\Desktop\disk spoofer.exe
"C:\Users\Admin\Desktop\disk spoofer.exe"
C:\Users\Admin\Desktop\disk spoofer.exe
"C:\Users\Admin\Desktop\disk spoofer.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\ownerid & secret fetcher\fetcher.log
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense x32.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\VMPDump\VMPDump.exe" "C:\Users\Admin\Desktop\disk spoofer.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PIDGet.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pssuspend64.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffff1f246f8,0x7ffff1f24708,0x7ffff1f24718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff782bb5460,0x7ff782bb5470,0x7ff782bb5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe
"C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\rtg.exe"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap3216:906:7zEvent21974 -ad -saa -- "C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,37476852852186432,18230625155136721938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| SE | 16.171.200.5:443 | tcp | |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 13.87.96.169:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 13.87.96.169:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| GB | 95.101.143.201:443 | www.bing.com | tcp |
| GB | 95.101.143.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 201.143.101.95.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.91.7.6:80 | gofile.io | tcp |
| FR | 51.91.7.6:80 | gofile.io | tcp |
| FR | 51.91.7.6:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 6.7.91.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.91.7.6:443 | api.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.123.112.45.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\New folder (2)\tWWirfQzHUpgWSeHyp
| MD5 | 1898ceda3247213c084f43637ef163b3 |
| SHA1 | d04e5db5b6c848a29732bfd52029001f23c3da75 |
| SHA256 | 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b |
| SHA512 | 84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377 |
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma
| MD5 | 6f64ca90f4dde19acccc01c1a5f75978 |
| SHA1 | f7d358f39d48f34000c78b43063678fa9a7128af |
| SHA256 | 1da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b |
| SHA512 | cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878 |
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\f_00004b
| MD5 | 3ad1246ad83b3da15cb79566f692e912 |
| SHA1 | 731b4fe9a0cad4259de8287bb03055abeb3028f7 |
| SHA256 | da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893 |
| SHA512 | a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88 |
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif
| MD5 | 325472601571f31e1bf00674c368d335 |
| SHA1 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a |
| SHA256 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b |
| SHA512 | 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc |
C:\Users\Admin\AppData\Local\Temp\7zEC20EE228\Cracking Tools2\Cracking Tools\Cracking Tools\UD\x64\Reverse x64.ini
| MD5 | 97f48bb67a20a16f0a06788c5cd0c7cd |
| SHA1 | a68643027106314c5f6a5492e60755693af3f257 |
| SHA256 | 6a091ad252b3b946a12e1f8eb55648a8c019b40ada187b85fd589f4f1ae1bafc |
| SHA512 | 47d7d795d09977adf04d9bb5b2806c647925747fde3dc2f6e5a4d644936e094003bb10ee3b8f30e9b0acf96b5b203c90956d8b0069dbcb00bac6ab71763c8aec |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\scripting.bat
| MD5 | 0276a98b46cd55649271dd7fdacd96b5 |
| SHA1 | a8005f3c25816edf2d1e78e486fc891bdcb27f3e |
| SHA256 | b1f446297da443eab61fe6156f574899526cefa95caeddc051c820d2b843850b |
| SHA512 | a66c0544cc65f15b314d88205a7207f31457c3fdb3e1c2ac12fe2854c77444aae4b1879c3c61e6a97ec1895fe4c3b1da0ad54d8e82271566bb1fbcc27000e66e |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\certificate.crt
| MD5 | e3eff8b29b2d04da7a2e09e214f0949b |
| SHA1 | 34a05a3e6a8fc1710d22b9fb891f6c7a400c5701 |
| SHA256 | dfea79c5653186395f8c5c06942471144d1528a2bb0a270321b1a53bcab32f58 |
| SHA512 | bd7207bed45d100a522228ed21d1bee079e4cbd449369f114a9feda56d0ca7df1fc05c8451454f60b77ae27a12a1467eae667c9f1a992a9dab755dcd7f3344c5 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | b5d7874bab86954fd02bec29ed18e7af |
| SHA1 | 6c734db5bbe940e4ae3ca14ef37f462d2548acea |
| SHA256 | f981c26cff1a3ea2c23effb85c3155fe01da590603d6bed8d17dd0c962d2c6e4 |
| SHA512 | a2e934ab5ec4998e1a7b02d8427fc44246e35c7bc851e6d94db1d1e456dbce5809da4bdf8ff00257bf164b9bd7bd7cf15de19b9129284925a24ed1d1646e3c5d |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\auth swapper\prada\1337.exe
| MD5 | abf8e6493f91c4b609b95aca7deadeed |
| SHA1 | b1e5943ee728e5ceebd4213bcd679e6406daee48 |
| SHA256 | e6b06b2412176e9f9b1dc4df36edc34774e16c0e21de8d6b319ad3be6ab42b9a |
| SHA512 | 6e9f9604333fabd2cf3c7cbe1defbb4c84ef0691d42d4c7ef7d3913f29052e87c566dd1f47afdb5a37d0089463e48a517ace16fa5bcd4557261832955e19eacb |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\dumper.exe
| MD5 | 268b9215fb788aac11dc5700ee851cb9 |
| SHA1 | 490f8837a4007cee8c8c2c79b5b18f81d2485126 |
| SHA256 | a48b336c2e46bb6a724b55b9c97f9b5c6b24300c72a746f2428fdd0775470783 |
| SHA512 | fc341cc631322b9c65a9308e98a8d52a31c22e49b44680b14a096fc27bfcb1842dc0c8599953c20b707b76a5ba5fb81faa551fbbc4d6d1f2d836b0af204443cc |
C:\Users\Admin\Desktop\disk spoofer.exe
| MD5 | c3fc72c74f38bad40cbc3dfe7832530e |
| SHA1 | 89f0c5318a2cf4d29242b89f0b5bfb71fb956161 |
| SHA256 | 75c918110defb1261c5781f11fa47da18fbb00ac4850758a5fb28da2e5292d3b |
| SHA512 | 91650946e015aaf9cd95a0da57ce77978a9e79701339c2a8480c19f404a16e0b82a33c11795b6c8e571052a4dc11d4503155efe488743b43ac2db5bff8a5aac4 |
memory/3720-6636-0x0000020A03E90000-0x0000020A03F6A000-memory.dmp
memory/3720-6637-0x0000020A04360000-0x0000020A04372000-memory.dmp
memory/4952-6642-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6641-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6640-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6652-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6651-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6650-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6649-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6648-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6647-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
memory/4952-6646-0x000001D0374D0000-0x000001D0374D1000-memory.dmp
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\dumper\diwness_dumped_68.bin
| MD5 | ca126ceeaa5549074e7701d1a5adaf55 |
| SHA1 | 93a5835091ab3ebc6d686fc99919c77df42ff015 |
| SHA256 | 7d1e964d1c1b981e94acaa69d76fca471d310b22a1a157c46f62c6a95e5ffccb |
| SHA512 | 84ea1e57826cfdf4c822c3989ba61cf24098f2285026ce90eca3550eb3f12964cb3304742870ae40b781e84f97daff74737b2b55f4f35961a8ff24b1406ec083 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\all auth tools\ownerid & secret fetcher\fetcher.log
| MD5 | 999679cf427724d049349e7b79e58794 |
| SHA1 | 2901d98f163da191e3b8a57bf00e11056166fb03 |
| SHA256 | 4463559ae071c1f0385cb4a6cc60decfd001811d6226747f61385bad0eafec44 |
| SHA512 | 596f5660f08afe8ee74b27153169a3964f3b12c6e835d325388ccfa6284ee5e466715bb1d65b0ae8df8634abb2722150369a8714c990fb462e1e819b9172d632 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Filegrab\FileGrab.exe
| MD5 | 27f87ebebb071afec1891e00fd0700a4 |
| SHA1 | fbfc0a10ecf83da88df02356568bcac2399b3b9d |
| SHA256 | 11b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9 |
| SHA512 | 5386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\PE-bear.exe
| MD5 | bd54da575cc249f47935647c55adfb49 |
| SHA1 | c100dee9ec367fbc9484e7a2f6208830af7c0d03 |
| SHA256 | 4d3144aeb0713616d1136416625c16f2c5a42c9198eef370b64c3f45cddc5957 |
| SHA512 | 6c4f8c51ba37cd8758d64144e6ce2c2f3a058ee14d07e4256d3e4fb92ceda9e242880c94e567a285cb1f63d2a75082f27d45bf6b1a1827aa46452184abf499fd |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Core.dll
| MD5 | 817520432a42efa345b2d97f5c24510e |
| SHA1 | fea7b9c61569d7e76af5effd726b7ff6147961e5 |
| SHA256 | 8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a |
| SHA512 | 8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Gui.dll
| MD5 | 47307a1e2e9987ab422f09771d590ff1 |
| SHA1 | 0dfc3a947e56c749a75f921f4a850a3dcbf04248 |
| SHA256 | 5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e |
| SHA512 | 21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\Qt5Widgets.dll
| MD5 | 4cd1f8fdcd617932db131c3688845ea8 |
| SHA1 | b090ed884b07d2d98747141aefd25590b8b254f9 |
| SHA256 | 3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358 |
| SHA512 | 7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\platforms\qwindows.dll
| MD5 | 4931fcd0e86c4d4f83128dc74e01eaad |
| SHA1 | ac1d0242d36896d4dda53b95812f11692e87d8df |
| SHA256 | 3333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85 |
| SHA512 | 0396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d |
memory/3792-6923-0x00007FFFF2B90000-0x00007FFFF30D1000-memory.dmp
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\imageformats\qico.dll
| MD5 | a9abd4329ca364d4f430eddcb471be59 |
| SHA1 | c00a629419509929507a05aebb706562c837e337 |
| SHA256 | 1982a635db9652304131c9c6ff9a693e70241600d2ef22b354962aa37997de0b |
| SHA512 | 004ea8ae07c1a18b0b461a069409e4061d90401c8555dd23dbf164a08e96732f7126305134bfaf8b65b0406315f218e05b5f0f00bedb840fb993d648ce996756 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\PE-bear_0.7.0_qt5_x64_win_vs19\styles\qwindowsvistastyle.dll
| MD5 | 53a85f51054b7d58d8ad7c36975acb96 |
| SHA1 | 893a757ca01472a96fb913d436aa9f8cfb2a297f |
| SHA256 | d9b21182952682fe7ba63af1df24e23ace592c35b3f31eceef9f0eabeb5881b9 |
| SHA512 | 35957964213b41f1f21b860b03458404fbf11daf03d102fbea8c2b2f249050cefbb348edc3f22d8ecc3cb8abfdc44215c2dc9da029b4f93a7f40197bd0c16960 |
memory/1188-6934-0x00007FFFF2B90000-0x00007FFFF30D1000-memory.dmp
C:\Users\Admin\Desktop\spoof.exe
| MD5 | 82b200c3ae6d1e7eee7a0e15ed68d571 |
| SHA1 | 5f0b2437b9304fce9fc3ac84f9f8d7b79f47c7b6 |
| SHA256 | e2c2b48c49eb4a71c8d5ae43b818bfed41404f199d6d50960bec9853d0e50562 |
| SHA512 | 7de4b503f2a75a640d03ccdf0612113c608e26f4f66c305d73e9afbe32770d343c7d976befd7686eacfd2109eef5841a236cc743dc70a2fa29177ee3bd6a8420 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\pestudio.exe
| MD5 | bd850d7328e8d1a5e532cd5415188c73 |
| SHA1 | d0f6cb25570cd6edad588f102f05318b127a220a |
| SHA256 | a769e435bb4b699f32e39c8fe0219e5a428709b0d07c1dac9b63aa730c9fbda0 |
| SHA512 | 5478fed4730c228cf12bc1afb46d5750224f91b4639904cca9d3ee21eac7fd5873257013bde2a982a070f35feec6a45bcda9800d0a86a3a8ddcddbf9798b9fca |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\pestudio-9.59\pestudio\peparser.dll
| MD5 | 2b30f638c419b06a1ab2d2877259b641 |
| SHA1 | 0f2621f218da90d9c618443bb18f3ad0b725a5ee |
| SHA256 | 915313ce47204159e31e8ff7a04f2af41f477819198b39554c4d68b39a5a1aca |
| SHA512 | 41246d91e376b7747b7433e76aae9d5d56978f50a6a611b488a4ab6017efc8407b9cbeb57f86d99a89297494e3c67005a680699fa1e8e277108c254dbff6f2be |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\settings.xml
| MD5 | ad522c71927765d5eb0abd8f51c9d113 |
| SHA1 | 90b6795634f28c7fa44371094bfa53df3ecd3e31 |
| SHA256 | 5d6bb1158eb3deb57922764452bcacc143528b407c6c09b28af70afbaa1014b7 |
| SHA512 | 3c017048d338641966f914846e012e268a7376fdc44e2e21dd9fe06febd95945fda7e9ccf285566df8e43f442e68a4e1154e30f4c1f42bd4d279b8bf8fb973db |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\translations.xml
| MD5 | f8f91bd6d493ceb50b2135eb65bfe1ce |
| SHA1 | af72780f22aaed9bffbf2e8d907bf0b14af8996f |
| SHA256 | 11341d6720dcf3445c507331b159c79ed7a502f7aa7bcbde29ab271b2b5dcb0d |
| SHA512 | b0c015efd68ae6b03adae65aa9e0b1b512fddb99f60c1488048c26c6975963b4a46625586a86f4e8730a4ed76a9121af5c5c451f23cdb3e22d1d706f4aee1c2f |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\mitre.xml
| MD5 | 1399464d9449e6d2acf50ff291ca4c50 |
| SHA1 | ece2e5f0bf2004b475e83b88205422bcae8884cf |
| SHA256 | 4b4e8c1b269ed962462a1bea47f74f7747f2c35bc53d813ee019d6d7944d1cac |
| SHA512 | 9a8738ee7deed212aa0295f974fd14c996d5fa5fb74490c6e13e70a06ac6c24584262872d5bbe342b448d6fb43d4dfa06f9f84fb6b0070d35730ab6beab1666f |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\rich.xml
| MD5 | 7e890ec434de406b0ee6a7e0ee289804 |
| SHA1 | fe65fcc8367f01bfed7455a32681a884cab5345e |
| SHA256 | 1201faefe571a70d7d4649638717a9a99341cb3455caa1155439af05d0b4ddc7 |
| SHA512 | 83a92d3f533df64d3e8f885f3a3ccd7910242a0387223e01121a00bd0339cdc840b97984c1e9d69b6a2a6b8830f5ea95cc9ab16dfa2f65c137e18cfba5800df7 |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\indicators.xml
| MD5 | c24c172d203170da0841a99829cf3e14 |
| SHA1 | 477606e26edca415e2ac29d2233b88565927f39c |
| SHA256 | 8cc49f33ecfcce4f4e027cb4c6d24701c3b56c7b71f0f5ea60402167baa06b6a |
| SHA512 | ccbc38ccd036ebf0138972fb6b2ab2e70e03f9c1397cc973a84ff1eb1235eba48fbe6488ef6729f122a3aa0e0402a512ccf6a43f94a5c97624adab8e60b54695 |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\thresholds.xml
| MD5 | aac239f529031c9d30204b1957fbf73f |
| SHA1 | b0637f58fe9b5f29629df457f4bcf62c8fb061e0 |
| SHA256 | eae66d8ad576934f6af9edad5882bcdcf752b5dc9e68838565c0523a1f100bca |
| SHA512 | 5146bc899dea08f49f5058714a12cf7a5910ea3bfa4ad24f0da53ed841f99961f54eb3f1527364226cb9df99e1acd9ffafd019ba44a6baad2510b62fbd40bccf |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\languages.xml
| MD5 | 70f5461a0f51a8d954772802795b9e1c |
| SHA1 | 3ba8614bb2ef62e51bd905d53904092b77f34dfb |
| SHA256 | 69aa80a4e4d3f6388b673cb6e7fbb21e8a52f5c47177082beca24aa3db756508 |
| SHA512 | a09f23a8915e3cdc003d5e3a4f8b7fd9b99f72a72ba25dce39cffefab567fdb83c909989e481abb2416ffacaaa484c4773433c202ac9bf75c9e9e8149504e1ec |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\signatures.xml
| MD5 | 74fa8cde79c65e8c946435e82b435b1b |
| SHA1 | 6fc08deaa81c8d659b089f71e41a105f0d7d57cd |
| SHA256 | 8272a8617b6a5df3e7a35679127c929cbb83d98c6dd01fe86fe7064d23f655b9 |
| SHA512 | 6ad623d90023eab366a4197a65d86e04c5f59ea33add0a3d576f98b032349049e4c358f405ea29cf15aab36fddc2d60f0d3f16e2b3f18b57314f5c43b3f064e2 |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\strings.xml
| MD5 | 897ad35c847b8c24b6d6ce704f20bc64 |
| SHA1 | 83efa9d60a9122b52579f583f32fbc0f8d337bf1 |
| SHA256 | 8747d8fc0bd12cdfb34800ca73e468f0b2f0e5feaaf7779d5b33f8904ed85055 |
| SHA512 | 598b9d30b34acaf4b8f1bd32973b88ca1c96a9add029b24746d49103e995678b2b56adc3357e20de097075366e8e96ced777bcfe2af42255d1fcd966d2288946 |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\functions.xml
| MD5 | 2f76771b12ec93863ff7a7cb46d214cf |
| SHA1 | db69fc2575c2765b38f1e69953b38eb6c047157d |
| SHA256 | 3395b3d7503470555043e0281a075689221b35e401e6b8e243acea1d6f09e5e4 |
| SHA512 | b118b248e42d7343665be2b7f032af6c57678726c5002474937e33f0dd72d38108bfc95e96c995911a13b9bb7031fd2957d1ff5103d00493f9f5dc25f7fcb0c1 |
\??\c:\users\admin\desktop\cracking tools2\cracking tools\cracking tools\pestudio-9.59\pestudio\xml\namespaces.xml
| MD5 | a9d75e1988f5c72f18c55b6cd50179e5 |
| SHA1 | 30507ad1b9b99f11e3d243183774c5d4c13113d4 |
| SHA256 | c8185f0cd30e3ad48f78e11a42e48b330f9e8155066d181d4fd18db4568c1c3b |
| SHA512 | 7d316f60665c435b9fdea7c1a4534acdef784730757f9f8c0f3da1e102d0d8e33574fe18f9655c5f103d1a810cc4a6ae7832cb3e6dcffe7b3cef299d42384212 |
C:\Users\Admin\Desktop\Cracking Tools2\Cracking Tools\Cracking Tools\Unlicense\unlicense.exe
| MD5 | 69e2318d24da523c4d6623385a81f201 |
| SHA1 | 62f8fbf59fabad8052dc215fc6f7527d7fd4e33f |
| SHA256 | 33c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955 |
| SHA512 | ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\ucrtbase.dll
| MD5 | 6169dac91a2ab01314395d972fc48642 |
| SHA1 | a8d9df6020668e57b97c01c8fd155a65218018af |
| SHA256 | 293e867204c66f6ea557da9dfba34501c1b49fde6ba8ca36e8af064508707b4e |
| SHA512 | 5f42f268426069314c7e9a90ce9ca33e9cd8c1512dcd5cc38d33442aa24dd5c40fa806cc8a2f1c1189acae6a2e680b6e12fb8e79a3c73e38ae21a154be975199 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python311.dll
| MD5 | 5a5dd7cad8028097842b0afef45bfbcf |
| SHA1 | e247a2e460687c607253949c52ae2801ff35dc4a |
| SHA256 | a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce |
| SHA512 | e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 501a25f290332c25255eaaf70ee6f240 |
| SHA1 | 23cba10495d7098ad6de6936cf31c1b0eefd1246 |
| SHA256 | 420c031363bcb69b4cc540b0afad7180d21b4957a2d6eabe23a40e669aeeebcc |
| SHA512 | 84ba813e4036be7d9fa08d5fab885421017d008f8fe8d99f56313b54f490c9151a27a67734bb17101691df563efef7e5379250f476e869a848f225786a913081 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4c2eb126a03012e4645cbf12fa576adb |
| SHA1 | f4fc0dbbe2fca0aab23014eeee6d533aad91b5fb |
| SHA256 | ce9774b847a66f7dce4153518d56469986dedfe78acbcca8e97a64d21df5a1ec |
| SHA512 | 40008285483a37d186c6feaaea96e92f8d665193eb2cd4af0ccd2e77544fa2afedd8aa89b8f09e49e1d6960cbe8543389151d2413c8be408794b70da0eb122e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 13b52959dead8f4d25a4ed5f847207e3 |
| SHA1 | ca4be2942f4ad6f3192dbbfaa258e034aec78b45 |
| SHA256 | 7751e55ca85d17d52557bf029407c82086fb3197f052243805d05dc132add6c9 |
| SHA512 | 0ab87d909b2e81dfc1ec9feb5adf2b7249ee8cc6e8dbdf2795433cb3398d600fa1aed623e9c279f9b8351374ae9b06331bd4cf045d14a0960f7a8d5de4219fff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 94ce4b2ff0abce6d838ac24a1b0f4e73 |
| SHA1 | 02f4a956ed4f2e2e0ca9c4b75bf8e7245a1cec88 |
| SHA256 | 06180545891f02875414f56a2a8ca3f21c2f415e03644674cff1c9674cb9b222 |
| SHA512 | b3bf05777fa4abbd7c475657dea5ca9c00600ab6226843150eff563837c3232c3b513afc0ac5ff1976e35979a51f34710ab74582d1316282bdcb67cc17493c90 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | a52cc66cc109eed229de4c00779f1590 |
| SHA1 | 1afe3489b70b1102fbb896424f9b227c9302ec18 |
| SHA256 | ad06b32e65279289a16b7db2e355a52249e66f024e494e27b42a84fda5fe0ffb |
| SHA512 | 5d20fd0239634593ad45f5c66ace2fd192342116997ab7ef633b3d5f7dd7815aebf0e8b327729ff83a1f5a9b99e64dcb29dc0197734069507565c6cf506d6a24 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 869da3d836eb3fa33ee357bdfb9f5284 |
| SHA1 | 26a19f0f4ac0926c9326fe15c91887304fc57ad1 |
| SHA256 | faa9f8ec4647c6a0e96103159a1c7ce028fbdf9a44847798248b0bbf3aa552f6 |
| SHA512 | 64dcbbc8de6521e8fb20d79530e7838850550956ff57813b4aee958d2dcf4ac153dfeb1ae3d1fe155db2bcd622248d40a4993915e04a767127b0e14682809a8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 93e16149f0b0c4dab35887280040f22c |
| SHA1 | f0c409c9a70a5ed3908e0774cd6399850e24c49c |
| SHA256 | d160f5fbde3aad5d9131553bd63f2737e5efc62de9ed5774c9542e4fda942d30 |
| SHA512 | 62943960861b57ecf1658b3d52855f88c59bad796efc515396795ed88d612120841877a4d2fbd0e628007f9b0aef6ada06aacc9ebf9e940f36aeb6a12cb8cfbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4ba8f857e340312462fcebaa8e0e8cab |
| SHA1 | 826bd824433f3b38c466b46e65f846402516b5f8 |
| SHA256 | 3bc5f5cde97c4a0cf198fdb0b97157c9b8b45372916f4657c7a847696fe17e9c |
| SHA512 | 70ed1ca5a492d4b2cc70421b4470a16fde8b6a36c4701f554d44c1ea777e79aa0531842fe2adf613f129083d0dd806610dfd1f37cd13385a8ee91af72555ca97 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ef80423-6e60-4c11-b2a6-2128fb8735f2.tmp
| MD5 | ef30b5850d78b050b13ae82ee13c6b28 |
| SHA1 | 25bcd922ab2c62d47c9bfac3fafcca08317ad8e5 |
| SHA256 | dfd732ede1af0d6dc560b9fbef26f92f9fdf83a72da3e6910cb39843be4fed30 |
| SHA512 | f9bdbddff6fe99cacf3a670ab5504849668c9049053eca2a4b51f74eb050ea4d60629ce29a571223b1cf293101d646067f9f00e4fb3039738921e1c042419f8e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b12e14866070aba729151513b81cde8f |
| SHA1 | af010ac7ddb67a4946b8db2bdb36bddb34c7b711 |
| SHA256 | 7970a0aed6161802e7925fac5282add6dde9d1c77944b5ca8c365c0a82b4f54c |
| SHA512 | ef8cefaa8dc9fabde44d511a30fc59131aa73134cbc146e770aa7a99bf0185938ee78d847529bca7c711229adabb143926418971c0383178c49482bf6ddc171a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d2e278c1baa069779e7beffe3ca08d04 |
| SHA1 | dd218eb3cf151a6d4cefcc3b86573800f0752afb |
| SHA256 | 2510a4b3579d46fefb3d0a56c31beca7071808c54a508f42520a674ef0cb5ac8 |
| SHA512 | 01615184148924b5965701d1ec632315a49b45244bd26056de134b4e2bc1d7eb92661be046ccff090a44b416d40e79134f075ca8f02ca8ac38abf5a6aabb8675 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 28db184439a9340e826aa4de4806627b |
| SHA1 | 9d2800c68758c72789a3b00c6d1a2005ea6bd367 |
| SHA256 | d028b6ed5f56d2a4faba4f0a8ae81ef0bff022a99d27582516d06dca0b736cfa |
| SHA512 | 5ebbba421683a4de476b5d73523ca15a133079198417de133d004d39d12470f08e90c093237fb960ddeabcc6fc92bbf274239cb54c763f54af811f3f84e0da7c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5ded83fd632c71faeddd45a56aee167e |
| SHA1 | d59bab7c90c4c0b199111a0c2a53302883da5a44 |
| SHA256 | a77c5a41d6e14c79286a796cc65ec6087dd93d9cfaa948f5440b646fce4831ef |
| SHA512 | f649d56b9f6c5ca03346bf7e4fdb7d59ddeb92fbc42b6c65dedeb00b60a0615dae49c197964bde769c7b162203be8b0fe02a814988963205e65d755bf56e756d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8b29f80286830ae6cd8d6f2ccbddc5c2 |
| SHA1 | 428a1b32864e1367fc5d3a280cb86cf5f822cd31 |
| SHA256 | 08d70545ec2a87362566a1b9160c7ebb38fe62b16f93e608db2db4c62125621e |
| SHA512 | fa69c58b8cc9ce736f7d5ae309cf2dfbf7d7d49d7c522a83d9034c065aff5e748e64f2257a43acb8af37328d1c5ab1be73c3bc1c055220cf81bc5c29b708491a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 51029537075f0fb208b7f4c22dc1b0f1 |
| SHA1 | 4b3d530a449d0bad73ac04c8a82f0af542d26ed2 |
| SHA256 | 9a9fccf3c06fd9448ce47271dafd98291e46fb2b6f682c79c1659c2dc666c7df |
| SHA512 | b5c544ba9f7a399e6a555e914c17b2fece78f5f73be1f547f14170c0766050b0b7b6f9c3f8afcba08f3384914bd96a087c1d4b54b727fd87e04ceea0631b2e8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe60cc9b.TMP
| MD5 | 030ed795e95fc93175ac626e7ea0e2dd |
| SHA1 | c0d3a6239d9d7f28c8f9f7dddb75fc10825159d7 |
| SHA256 | c00477f3b293cdb88de97ad2cf3f66db18f2b1415e292c34c09ccd8d6fa51539 |
| SHA512 | f8998ec883152dcffec70a449b65d9882597988bae7272f68545f3eb8d983e35e9ef452b74ad821299e05d26f02ebb9535234c94ed3281f234d7df194ee1285c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0a3e5c57f1118a9a917da5550c221af9 |
| SHA1 | f0c971acf10e4176e9d6f4864bcc78f5df33329c |
| SHA256 | 373c4ea25dfc99437a2c05a3a7dd968b292debd9d8e585f662d8dd7971428659 |
| SHA512 | 59bd5095f47f991b993aba7f3151a1b41326189ab0355d0157e0d843b31d7c9ded17c24244afe711b19abeb6f1b7811aed0b221e1ecb391759c8e1683f2a6e42 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e72d1293485e93c67a0454d1f205f1cd |
| SHA1 | 7cf77d04ebf2589f9c1ee1d6f7001029ace92948 |
| SHA256 | 60925981fb231c356d5a7c44b821530adb226257517d43508a822e1e3604c32b |
| SHA512 | 74eccb1308e3186a63ff937e2fd0d136c7bf46f1025643beca579d70fbaa3e45810fd5e9597cfda234ef7a4260b331aaf2cadb299ea076c462324392c57e9852 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2e4f9595b536ad470285e7c7c8b23a9f |
| SHA1 | 8a44c7d3dfd9f38e6aaa4df1900c9d7b3b20f72a |
| SHA256 | 9f9a9b7437c96c7f68730deaa9f22a8409a6af82283ca29335f8b7e3e9e2081e |
| SHA512 | a7a29902792f0eb02222f6c19bed56567dd3682e4db9ad8acb1620cb95a88ea4738a42dca109b2bb82368cd33dbde5b3e263d928d229dd02ac06ab62eab64748 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe6106e5.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |