discordrat | hxxps://gofile[.]io/d/pktw3u

Analysis

max time kernel
84s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2025 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/pktw3u

Score

10^/10

discordrat xworm discovery execution persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

xworm

105.100.184.221:38672

:38672

Attributes

Install_directory
%ProgramData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7242122864:AAGtpRgIM7E1A3mlOYz1ioh5Jyg1HJtYIyg/sendMessage?chat_id=6229207397

Extracted

Family

discordrat

Attributes

discord_token
MTMxOTg1MzM3NDAzNTcyNjM2Nw.GzeaPn.GNWCjsxapWJvAvvVDOcCzsS93TMVtJhQT7wVaQ
server_id
1328701765326999582

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aaeb-155.dat	family_xworm
behavioral1/memory/1012-180-0x0000000000800000-0x0000000000814000-memory.dmp	family_xworm

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
396	powershell.exe
3044	powershell.exe
3312	powershell.exe
1748	powershell.exe
736	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.lnk	Anti Spyware services.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.lnk	Anti Spyware services.exe

Executes dropped EXE 4 IoCs

pid	Process
1908	loader.exe
1012	Anti Spyware services.exe
1428	main.exe
3620	Soundbording Microsoft.exe

Loads dropped DLL 26 IoCs

pid	Process
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\ProgramData\\Microsoft update"	Anti Spyware services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware services = "C:\\Windows\\System32\\Anti Spyware services.exe"	loader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Soundbording Microsoft = "C:\\Windows\\System32\\Soundbording Microsoft.exe"	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
19	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Soundbording Microsoft.exe	loader.exe
File opened for modification	C:\Windows\System32\Soundbording Microsoft.exe	loader.exe
File created	C:\Windows\System32\Anti Spyware services.exe	loader.exe
File opened for modification	C:\Windows\System32\Anti Spyware services.exe	loader.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819678344241236"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Sapphire cracked.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
888	chrome.exe
888	chrome.exe
736	powershell.exe
736	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
3312	powershell.exe
3312	powershell.exe
3312	powershell.exe
1748	powershell.exe
1748	powershell.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1748	powershell.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe
1428	main.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeCreatePagefilePrivilege	888	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5072	loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 228	888	chrome.exe	77
PID 888 wrote to memory of 228	888	chrome.exe	77
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 1968	888	chrome.exe	78
PID 888 wrote to memory of 2780	888	chrome.exe	79
PID 888 wrote to memory of 2780	888	chrome.exe	79
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80
PID 888 wrote to memory of 4180	888	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/pktw3u
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca7a2cc40,0x7ffca7a2cc4c,0x7ffca7a2cc58
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2020,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4128,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4132,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4880,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,9555883159802964523,5964022312890568455,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3340

C:\Users\Admin\Desktop\Sapphire cracked\loader.exe
"C:\Users\Admin\Desktop\Sapphire cracked\loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:736
- - C:\Windows\System32\Anti Spyware services.exe
    "C:\Windows\System32\Anti Spyware services.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware services.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Anti Spyware services.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft update'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft update'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Soundbording Microsoft.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3556
- - C:\Windows\System32\Soundbording Microsoft.exe
    "C:\Windows\System32\Soundbording Microsoft.exe"
    3⤵
    - Executes dropped EXE
    PID:3620

C:\Users\Admin\Desktop\Sapphire cracked\main.exe
"C:\Users\Admin\Desktop\Sapphire cracked\main.exe"
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\main.exe
  "C:\Users\Admin\Desktop\Sapphire cracked\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Sapphire Raider I Login Or Register To Continue I Discord: discord.gg/sapphireraider
    3⤵
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
423a85b9677c0276db6d27e4c8e764fc

SHA1
e95678fd84385a751b2b7f5c453e4cd1a30c0152

SHA256
18b313d836bb8952b9d5de20245aa5bd6d9d9cdb1fea9c73aae9d77859e3182f

SHA512
17988217a4229654e8b05493bd37410fe03b7d058c4ae12d116555ee6c660da4510264cab90f451bc1afbcf036a73fff085a64e619ac65194effd74d074f2d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
fb18ba6a88d73c4c35946ba97aa89a1d

SHA1
e227bf701595538c58cb7af8c5a17a69ede89534

SHA256
13189647bc32f967268a7fa23639d94415f08633416693b12e2bffd2faca0729

SHA512
d3630244679a07538a497d833d67e279ecd0ebab0ffce78ce8e98a467613689000a540a8bfe7d712c69bc0e6cb98ad4fb67bf4605b64fa1c43e61c86ecea8348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
06713706ffb61ee276c2bc4adbfa0a56

SHA1
8e2abc4b56ad825aedea0e19f3aac16a61f0a2b6

SHA256
29dd5e35964917c9031012602cee2d1a54874b487c39ab5d2183c0e38d7526c9

SHA512
550be13fe807dcf839736ac395ca91293acd74267d25163aa2b7a72a0904ae8ed45515eae5035c6b76ca379124f1955c9fb8d1241f7d5321bd949889c7e98532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
41a71cf80eb698f9f42b64613e5c3001

SHA1
7e5bf1590a7c2c25e765cfce900b8c2c6fadff00

SHA256
42abba17a01b2a7268cab46ae6de278979dda17d3bf63414a7de5dd7bdde08ee

SHA512
6488a85e03853476ce70117f77b24145e4f61def44a4fbaa3306c49e8feb02ffad9a46f180f1b0d405a3bcd2e4d78126810e096d09bcc624a5feaebe34f6a3fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7e32d8f385bf92b113323cdb21d946f

SHA1
fbfb0f304e628c16c4725352468c1bb80a6be134

SHA256
abceb8cb8aa2ce55e037b9b1fa93966ec8027d14f1996332a55f6676300fc60e

SHA512
7919365e98bfc234b221240e4dace2f809e9e2d44b4836bdc53ed05c66d84a8517bb3d32eaaec22680e2f804383c19ff355ca1c327b795917ee16ffbb626300f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
773a0d6f0e326059bc977c4d95032f3d

SHA1
1d09c71258d2bf28b6203ae36cb09b04d67d1dc1

SHA256
751114567d09cf53a675d07ef869c80cf1717a656272857929ade11a70f8eac0

SHA512
ae1e50a23ed0c4aa56fa6521d312181b19bbea3ef8d30551c1f12fbcc111f9b481cd13b672ce094f45a9342a3cd3110c0fdd1ddaa1d77c4cebdfea176bb9d64d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aee692128b68517135ba8eda45ccd1f4

SHA1
baf592f6cd931966c9e0baf8401dfe4890996916

SHA256
26fa78b98c6723679baca1272deda24e7a67c95fa3fa62cf06574681cf27e175

SHA512
d5753795a58af275aecc1dee7d00f48b4fcffca2829a3511ab44c8fb806ad2a5b8534b5eaf7d176ba89846a76c5a5087a6c59b6ed90515822e300efd2a83b8a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b299880d33a3519609b6f7a3aca1b6f

SHA1
ff36da23606f89e1cb808cb2a72355d558705664

SHA256
655f40f3c8842294f607a8c7add82a96d6506216fe34984165ef5ae448768781

SHA512
697e19f0cdd7fbd3de7fea44e1aaaa47fed433418a2831bb52116b59f6e0f1fbf7778bdbec89ab399e851abd18a74bc8557bf7a121e56585655c6b2c6f4240d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
408d0e07bfaacfacf49ad812a4f15c2c

SHA1
000e2da4f282d840b968a26b11d54d3c3d6b49c2

SHA256
b08ee6e407003958d876bd3c12368d67893dd2ebef69d82445f80b8874962d4f

SHA512
1101965a21f976bde284760d706a7768233f1fa0f5d556517d7b606f40d7d2449879360e5e54255634849427c6d2102599e0dbc85976c803a531561f8813ea5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
15798ad61809f4c021663f492e4e46f0

SHA1
d7dce522175073f0bd0b633da099872aef1b7bde

SHA256
136585edb8132ad87fa068d8de788758f30420ac60ab2cdb9818ad4948d24bfd

SHA512
6b6f22f4e3fe893eb3ddb9792b42928f49f6ad3b686fa40b9b926aceca3b67b1f1bcd0d398fcaa4837b43c914f50dc095eb5a91f973c322d2a322c23eab8a2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
179103cd5a7b716b1d3009091437dcca

SHA1
3cd10be4fa1368363f9fd7fe3a25b4ea45dba8d4

SHA256
c4da8009857fb99fa6d566d2bf261dfe2e148ed63c94b1fadd3813dc925fee1b

SHA512
7c2eb0e755303d5b67c3177d91baba97b5e10b1b6915b7edd467aef3860680cd36d9a8ea83b27f53004e789276aa0219894915a603ffcb1d8fc1f8c42c7fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
687b3558d687becb30ad8f90997723cc

SHA1
fb326d7d105aba4d26e1764e73fd124cad23f298

SHA256
5283507c63132fdaf5d64bb0a09bcd6ae6d412a4df0be934268bf8e774207ece

SHA512
f827d61fad06764cefbca1688b8b2df7c07a1080be42f524de9765650382db84151ee90dd74b6568ea6f5bc582399695ec2c1c598256076f2dc91ff250450abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tls_client\dependencies\tls-client-64.dll

Filesize
17.8MB

MD5
181458ffd109573a1cde903e187b0b46

SHA1
6822c8b9cad8f13f3c0921205ada08efd693d93e

SHA256
b177778656455f6b8482154238d323a3de4d74f2a8b7a62bd973251a259edb87

SHA512
0f771e01e5f89dd83a8e46d129a7975b6ca395369d82411c9864805f1efa9ab7051e6caa24a5fad121391a25cb84dc991845da976265f3d67f8528aa01a280a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xlxxldg.xfn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
74KB

MD5
71a89a3c706977fdef38c141b1a4cfe0

SHA1
3b4a4673fd98ee9978ed3c40581ad6413ffd1b12

SHA256
8b2b8aa34aa71c582b054e63ed966558c0ba8eb64353c65dbcdefa0b5230eb1a

SHA512
b502b7147cf434e12a34f2c2c720aed2bd2e933c8f7fce6ac3294f6ca90a6c94031610d4f35b470bedd183e681beef8d56315f467c58e5a0e63a6263af441cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\_uuid.pyd

Filesize
24KB

MD5
4faa479423c54d5be2a103b46ecb4d04

SHA1
011f6cdbd3badaa5c969595985a9ad18547dd7ec

SHA256
c2ad3c1b4333bc388b6a22049c89008505c434b1b85bff0823b19ef0cf48065a

SHA512
92d35824c30667af606bba883bf6e275f2a8b5cbfea2e84a77e256d122b91b3ee7e84d9f4e2a4946e903a11293af9648a45e8cfbe247cbdc3bcdea92eb5349c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\charset_normalizer\md.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\main.exe

Filesize
15.0MB

MD5
b47518a173e1dd0c6064a0e4c19b16dd

SHA1
63e59684ffe68cf6491fdc8e0ada2beac232456e

SHA256
eef1b2d466cfd73df414c4088a7f0b85bec5afc1cb7eedb529223032269704be

SHA512
814a00260d125ca08887c5e405eddfa2fee5bb57e155ceb15c20c50d88144ab6c3a3c08c23a9a82e7bcdf0dd3a4199880d2a2d45d7978595dd4fdb174c7c9a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\python3.dll

Filesize
65KB

MD5
0e105f62fdd1ff4157560fe38512220b

SHA1
99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c

SHA256
803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423

SHA512
59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\unicodedata.pyd

Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133819678827457200\win32security.pyd

Filesize
133KB

MD5
0007e4004ee357b3242e446aad090d27

SHA1
4a26e091ca095699e6d7ecc6a6bfbb52e8135059

SHA256
10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32

SHA512
170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858

Download Submit
C:\Users\Admin\Downloads\Sapphire cracked.zip.crdownload

Filesize
21.2MB

MD5
c95c7b849e643d4e1e65d18ea92cc922

SHA1
4f55a0a6a7a181a4a4ccbb91286cf4547f35e280

SHA256
df0853cdabd6cd479f645a72eb068c451392bd9698807933158e6536ca7c3359

SHA512
587080121e6f26c3e6e7709724a097cfd0a9b46cbd179645c0be394f431bcd40f74b910c23219cd9877d1d4d77b683e1ec6be38f39e83f61c16350f7006a65d7

Download Submit
C:\Users\Admin\Downloads\Sapphire cracked.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\System32\Anti Spyware services.exe

Filesize
57KB

MD5
88fd44cfc28228a3004d2b265ec133b0

SHA1
63282e88bbd07ca9b40f05ce607347bacd1f5ef5

SHA256
98d6e5c7763b469fbca5b039b561e3509cb610285a841b1ad9e1bf1ed8b6670d

SHA512
9f959055a84b9b262b1451ba26a394950498c0415d1b800e861fbb6a9654f4e05ccc02d695f528ad4c09eef34732e3aebb7990934d86ebf31398efd3abc82e6c

Download Submit
C:\Windows\System32\Soundbording Microsoft.exe

Filesize
78KB

MD5
a4d1f19c96ecb6b4639be9f9abf95ac5

SHA1
19408bf23ea75ec60d1c08415f736e7a99a3304e

SHA256
0dfd433b99ca7fe4222f456f6dadea22fbe7a1342c59dbd054cf39cf2321598f

SHA512
9ce4ee6abc9b77b3e43502065e40031b71189a3e0c2561b4fe2a329bcec6443a462c774d01751a59d701185d8fa92f13ac13fdc4a42df6aa516ae434cb4e0299

Download Submit
memory/736-134-0x000001D94FFB0000-0x000001D94FFD2000-memory.dmp

Filesize
136KB

Download
memory/1012-180-0x0000000000800000-0x0000000000814000-memory.dmp

Filesize
80KB

Download
memory/1428-297-0x00007FFC86EC0000-0x00007FFC8804F000-memory.dmp

Filesize
17.6MB

Download
memory/1908-128-0x0000000000C10000-0x0000000000C28000-memory.dmp

Filesize
96KB

Download
memory/3620-255-0x0000021C79310000-0x0000021C794D2000-memory.dmp

Filesize
1.8MB

Download
memory/3620-253-0x0000021C5EBD0000-0x0000021C5EBE8000-memory.dmp

Filesize
96KB

Download
memory/3620-256-0x0000021C79B10000-0x0000021C7A038000-memory.dmp

Filesize
5.2MB

Download