stormkitty | hxxps://github[.]com/luis22d/ZeroTrace-Crypter/blob/main/ZeroTrace-Crypter/bin/Debug/ZeroTrace-Crypter[.]exe

Resubmissions

27-01-2025 20:56

250127-zq3zzavnfx 10

27-01-2025 20:53

250127-zn91hawjdq 10

27-01-2025 20:14

250127-yz7h3stpft 10

Analysis

max time kernel
300s
max time network
298s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-01-2025 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/luis22d/ZeroTrace-Crypter/blob/main/ZeroTrace-Crypter/bin/Debug/ZeroTrace-Crypter.exe

Score

10^/10

stormkitty collection discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00280000000463a7-759.dat	family_stormkitty
behavioral1/files/0x002c0000000463c0-771.dat	family_stormkitty
behavioral1/memory/5164-773-0x0000000000D50000-0x0000000000D76000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Downloads MZ/PE file 1 IoCs

flow	pid	Process
24	1044	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
5320	ZeroTrace-Crypter.exe
5440	ZeroTrace-Crypter.exe
5456	ZeroTrace Stealer.exe
5164	Build.exe
5196	Build.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
98	ipinfo.io
99	ipinfo.io
101	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dba23a64-3512-4cdb-bdd6-ade2ab04d998.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250127201446.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2136	5164	WerFault.exe	130
5580	5196	WerFault.exe	144

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZeroTrace Stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZeroTrace-Crypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZeroTrace-Crypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4584	cmd.exe
2952	netsh.exe
5236	cmd.exe
892	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Build.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3454535599-122122096-1812617400-1000\{EC28BF1F-58F7-44C0-8026-B0A240ED7650}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 49623.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1044	msedge.exe
1044	msedge.exe
4240	msedge.exe
4240	msedge.exe
4048	identity_helper.exe
4048	identity_helper.exe
4044	msedge.exe
4044	msedge.exe
5692	msedge.exe
5692	msedge.exe
5456	ZeroTrace Stealer.exe
5456	ZeroTrace Stealer.exe
5456	ZeroTrace Stealer.exe
5456	ZeroTrace Stealer.exe
5456	ZeroTrace Stealer.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
5692	msedge.exe
5164	Build.exe
5164	Build.exe
5164	Build.exe
5196	Build.exe
5196	Build.exe
5196	Build.exe
872	msedge.exe
872	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5816	7zFM.exe
5456	ZeroTrace Stealer.exe
5628	7zFM.exe
5248	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5816	7zFM.exe
Token: 35	5816	7zFM.exe
Token: SeSecurityPrivilege	5816	7zFM.exe
Token: SeDebugPrivilege	5456	ZeroTrace Stealer.exe
Token: SeRestorePrivilege	5628	7zFM.exe
Token: 35	5628	7zFM.exe
Token: SeDebugPrivilege	5164	Build.exe
Token: SeDebugPrivilege	5196	Build.exe
Token: SeRestorePrivilege	5248	7zFM.exe
Token: 35	5248	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
5440	ZeroTrace-Crypter.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe
4240	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5456	ZeroTrace Stealer.exe
5456	ZeroTrace Stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 632	4240	msedge.exe	83
PID 4240 wrote to memory of 632	4240	msedge.exe	83
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 416	4240	msedge.exe	84
PID 4240 wrote to memory of 1044	4240	msedge.exe	85
PID 4240 wrote to memory of 1044	4240	msedge.exe	85
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86
PID 4240 wrote to memory of 2008	4240	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/luis22d/ZeroTrace-Crypter/blob/main/ZeroTrace-Crypter/bin/Debug/ZeroTrace-Crypter.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffa259d46f8,0x7ffa259d4708,0x7ffa259d4718
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c4535460,0x7ff6c4535470,0x7ff6c4535480
    3⤵
    PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6824 /prefetch:8
  2⤵
  PID:4616
- C:\Users\Admin\Downloads\ZeroTrace-Crypter.exe
  "C:\Users\Admin\Downloads\ZeroTrace-Crypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5320
- C:\Users\Admin\Downloads\ZeroTrace-Crypter.exe
  "C:\Users\Admin\Downloads\ZeroTrace-Crypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4844 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9236333549963297474,9294892139977845182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3264

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Release.1.0.0.0.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5816

C:\Users\Admin\Desktop\Release\ZeroTrace Stealer.exe
"C:\Users\Admin\Desktop\Release\ZeroTrace Stealer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5456

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Release\ZeroTrace Stealer.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5628

C:\Users\Admin\Desktop\Release\Build.exe
"C:\Users\Admin\Desktop\Release\Build.exe"
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4584
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2952
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 2424
  2⤵
  - Program crash
  PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5164 -ip 5164
1⤵
PID:3128

C:\Users\Admin\Desktop\Release\Build.exe
"C:\Users\Admin\Desktop\Release\Build.exe"
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 1856
  2⤵
  - Program crash
  PID:5580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:5236
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5340
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:892
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5196 -ip 5196
1⤵
PID:2400

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Release\Build.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZeroTrace-Crypter.exe.log

Filesize
1KB

MD5
d4416b6bdae28d02f58ee6b2e5d7bbb7

SHA1
27d5896a0bc9b990a408e54a7d2a5a64d71e9e93

SHA256
ac6e8331d48bd24244597a326a3973f4d7b3328ecfec4e765f92c64967041689

SHA512
d86a7900137ec23e2e330a61843d0bc67f3f657a701ae3a8380ed324dcbeab3d26ece8264dfff2c2670e0b2c90fb6715d9959ae08f2ed4f574e45dc84d4e0e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
17ce65d3b0632bb31c4021f255a373da

SHA1
a3e2a27a37e5c7aeeeb5d0d9d16ac8fa042d75da

SHA256
e7b5e89ba9616d4bac0ac851d64a5b8ea5952c9809f186fab5ce6a6606bce10a

SHA512
1915d9d337fef7073916a9a4853dc2cb239427386ce596afff8ab75d7e4c8b80f5132c05ebd3143176974dbeb0ded17313797274bc5868310c2d782aac5e965f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63af7b2048710d6f167f35d94632a257

SHA1
812c8f140a72114add2f38cab52fd149ad8bdcfb

SHA256
15aafcc88226b6178e02a93858555ca48fb205ae317815ce31aa547555329046

SHA512
0519b7dcbce66aecefbd2aaea6120c0da213d8bb3e00a7599bf2e390bee3f643baf952cc553766f8c2779fe9fa303570a56a8c846c11e2fcf9c2075c1e41ccc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\28e0606c-c9d0-4f6c-8e8b-5806a60b3077.tmp

Filesize
5KB

MD5
189b01b8f4c39e2740cbe2f364b61845

SHA1
b7e29140fddee94085030dad377e9869c4391bdd

SHA256
e7db99b5d505dac17f977e7e3c9b661d54224ca953139eea75cd3bef6f44a33f

SHA512
c7d872cef5b8eaa35e3342e62d3b45d88280a1f6c6b0792528c5ab4b1f9434999f68a39c1c015d12c752f2aa70ece70f12c4022156da9a71e4722c1a876037a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
20KB

MD5
edff034579e7216cec4f17c4a25dc896

SHA1
ceb81b5abec4f8c57082a3ae7662a73edf40259f

SHA256
5da4c64f6c1ff595779a560e215cd2511e21823b4e35d88f3ba90270d9244882

SHA512
ab2dcd1628a0d0cadf82eebd123526979e8cf0a2a62f08f1169d4c03b567eca705bd05a36e5ffa4f6c3df393753b03e3daa18122955dde08fd8e5b248694e810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
c8fb853788f0285724b097e898dbfc90

SHA1
97fa6ea08ccb3b4dee9889547289d83e61de2ea3

SHA256
e5d5fbced4ed0dd05d60f1caf57a07c331871467b07b37bd0ac24aa6cc988b47

SHA512
52978223c243152211fb7413bbafe9721d5c83edbdc46dc7b3d67c1d4e21997d83d305bdce3e1019d96c75fc070b01cb746ef23aec3cbb5b4ae1f5ce9007c49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
eed41e92bb4b11741b3863a35181f32a

SHA1
1f8a013eb5f52b1671f0a1cd8ac451080ebdaf67

SHA256
3aa535c4a0178fb718f5978f168324400cf28f7e7603c04f080d99d3acb224da

SHA512
57d21037bf90f25191b344712824b73908831932d89052ae63087c575e9dfad25345959e2129eb21c6b19527adbf1652f8e335e21674baf637925b3fc31b5c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
adf171fa4c8305c29c5c6ef5060f9bf0

SHA1
0e307250629bffffaa6ecaa216024be44136577c

SHA256
77eb2425d59b6a8623b8739e625ae5a51a766929a434847920d0d8ffd752a30e

SHA512
12c2918fe8ad8eb56eb25534b99feafc96d9a63fb798cf1d80efd576b322a5230734babcba813b8d846c20f5c8ffc19c387e7c1ed7c6cb539bb4fae93709f79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
80451651883772a2c4d7bf7a913c6181

SHA1
c3b4b16924ffbabd4418d1c6e9153007924f5221

SHA256
43c58bb9b54a36256b8675e687c9998439ea0d73321867deabcac3818bf0931c

SHA512
8a00a3beeabcc2ded64cae708e483bcab659ef05da386d207e57f6044b860642d0bd619857dc47e4276ebceee111f003e1b9124b17306705754467d7bfc425c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
8f481252618a14c8010d5aeae8a8e693

SHA1
f3509ac1fc26074ed78c75c68acba48e7d04fd1d

SHA256
d58c20dcf34469b32a207da50f05dd5a1296f8c2bd0e082b1caebe5bd43e7a3a

SHA512
55c93bdfe2032670544636186f5aa7a67b49b4ddee8a762d92f8402ddd8f77a34903b0f3b53ec173a8b2884e72615bd256d05632006a6d40c720d79de968af02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d9e0de6b6dd21a6621a05c8d3420e5e8

SHA1
aac146d219cf1aeb595e28d14f3b4bbf2dde8a1b

SHA256
2076f28e4cb0638c4a3357f4f41d6dcd6fdf480a18691d707e8b7d993ccbb274

SHA512
ebd4329e7d2d3b8098b627a0fd39d79d7c401fc78a04f7ef65dcfa7e66f7c5ee1d3aca7435c4b01e5907c9ee0abd87f2ab859c400b0ae0c7b60efd2f0b846021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58b977.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
42741f654935dc7e7c4662170eed3cf3

SHA1
c5238ae6af52ea09acdbcf8f8b2ce16ec57a429c

SHA256
1398aa47e146e8689c504e39039b23e8d2cff7a97c193b6512209ab3239e4f25

SHA512
c0c1499f9953c4bff20824ca2935ab1826a72ff244be3c3c63298530c47ba9d9ba376b892acf45feab613e372995be7609746775ca7820374db16d86a095a5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ad0704fe15bd6d7403e6e1276bc6ff7

SHA1
e6f187624d62618620891e9f3ffbfb8a7f99c410

SHA256
12e96697535523aa082503dfec64446f7fa065f1c5e473ba3b503f82a8a0e70d

SHA512
4ed91c30ff195e5768ce20afc4e2dfa8fa30ffd201300a2801109a74b509cea57409eea253d81796f8c9c15121aa35872fe17e49e1141d1617af1ebe157a8303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e4c9b3430ccc90799a35cb22562083d8

SHA1
2fe0c5b3c0dd61ccb39a0dd8dcb6175288b4ea59

SHA256
e52387eb9c23d8ed336c1a37cb3c00acb8be7d95a145b009e77678825e8ee504

SHA512
e918336d2f920aca41c147a13af20e39b9afd8ebfe9302eeeb3a5a030059ee8b6002b738e63be4d02eaa38c08a2118ae499fc9a43fc6937f71f7c82fcafbc09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81900e4b4c608086c7f990f25d0078a7

SHA1
469c78364ec3df81aee5811a500281041228ce00

SHA256
3e424fbdd5130f8d8962c074a22ff88d22f807b0d9f97d07a465eaee2185ef39

SHA512
d2ea81ab2d7c6c93da8c7e680911b33ab8734e30efb9d1ec3fad1e304eabf14f8ab55edf19d3cb3e0cde7cd4e6bc045cb978656b1a586b8aaede25424f189ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
000462c1062a731cd704aaedd9af7f08

SHA1
5c305ca0fb26e487de9c189b71de4c7b28b04252

SHA256
478082fae9c8e1aa446866606b7688225f171ffa2ab01800342d0e6c0ab52b38

SHA512
8142c0e05d45a3f20b519ba40f2452cdaf99172690b8cbb139f80e0689416bb9715f07a1a1fbd199f6bf768e0aa8fe865c48332518227e9f9d88211ba0ea2c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d46ac3109a517d5839fe41af3e47f648

SHA1
9180210252e106d0822db9ac7c169b22d09c8799

SHA256
df4302422fc3dbed752b3a14c0ed0e2f3cc224dd41a6ce580b0b1afba634d8b9

SHA512
aaea2e45d55dd588376993eb93b502d0502dd965c59ee71ed280269ffcf5f1808cd069d94201a76df5e93ac2a1c1a0d4e811150a687a938c20ce14826646f3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9e419f66536ab93f7797536388763ffa

SHA1
4328d8e899ea536b3223b2462810214749f2a1dc

SHA256
a09efa22459a2279531149980f63c9e5666dce91b4372b6b2db8b49c4a8ee4e4

SHA512
bba4ca369b724e89a776e91eaf656291cf396423c7a43ac2c584ee38821be313f2784919de50580289707b91ac4ea6e0f2b8416969569d33aac0cb7ccfd39fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e8659776f2af1465c12f771ff41c625

SHA1
f74b6cbd42b182d349aad76a9c9605ba7cd3fe3b

SHA256
1833ec534d30b546fe678a40723e6f7187d0e3612dc41bca32765edd814de8d7

SHA512
da12fac554e5d0acbdd2b0e2c5385d2bc8cfcabb57fea6dae1334f35a87be5c8ce6fe4c7a5c3e8e83f14e4670f7440ef561d2df8407710b1197b8cafa7cbe7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b8d5a6329bbc5edf31844f6bfa4ae972

SHA1
1014d91ea7a8867459e7014a725794728d75793d

SHA256
2d90e12869f60c869911a3030ea58211b6b0da7c53d396769f4b3dea0c406309

SHA512
d6b4a08d7188e48b3ec2dbaa78f1ccc23334f43266602c677ba5c52d54554ad02e5ffc32e852de47291e3f1291dfc34db62d4a1eb5f631aad0a0340d30e5f7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8ade2f3a82060e6d5b1e97b275213d86

SHA1
a13c13d850addf7c1c1d58c583255f77b40b7834

SHA256
fc73beb5ec396531d7267cd4980e720590ae4c7c34b6bc63bcceef59730d324d

SHA512
51d989a44462ffea680e4bd9b20c46705793236712d11f0400e12caaac3512d662a41b4b49e7e309c8e752dc7738eda080451b74736c6428541196dd7bb8ca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d835e1e7ee43af39962d0c14d947a735

SHA1
8e5be8ac036a2da1565f672afbe587298483b65b

SHA256
7943f37ff5fdc191f31a27ad416087cdca2046593c6f42f3735c15a65dda467a

SHA512
53d6bc367026b5ff23233bccec08d473f6874da459f782a4617d0f108b4892ae11d6326cbac7b9aa911eed0a3719c41a0755c96f09e3ab5ef53721ddd08bd90c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
30f425d132b7f1b4817f40445acad276

SHA1
5f0505ad77e0f8f2a27a57f5e9c2b66e9c010ae1

SHA256
71919a27ee2b4d84abd376aeb8589b9990a7023198b5e0cc8f437f4cc4dbb4c9

SHA512
b7a67e275b158129caa5e658f1ebfd3a68ee7018b87791955fb5b2cdf39cc838e9c25a25845302a610379a3f39f1e13e53fc5230af6dd6eaed311db94c2a72f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7ab2b610a6f488cf76547055a83c164e

SHA1
2672ba0123f4c82b5446c7cd7d86690b60c6bfa1

SHA256
71d45962b9f80884d1619552849e17122e99ef159acc5f9b2a89a778a4645d03

SHA512
083b820e1814e3f8c6be74e9569348e380f27fa5fa572a81a11367e1ae072a5bc94b3440ac2e307788bae2dce6bc2d68bf2a34872efd432cac84cf00f8479f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
209f7948857fca1cf8c9e4b0078e43ff

SHA1
47bd3081246d346dcd7e1166771a28a7e2af63a8

SHA256
adf7f16f70ac3aba0b34b3ab9c0cb73b9ec623b738cc6e02976a9ac803c3ad00

SHA512
bd2f02e712954c21727165cc56b28b3b1d1efe5a1e7d142731f5d21fe8e4418192257a62dbe16eb2bd7dccdbbffdb0185b9012f69909a52c0fecef03f2a6ef81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6cfd4f44a3a3840da4f4eb893570873a

SHA1
bd08f8024403c09bc40a8f1fa9b0e1f55e96a32b

SHA256
57965be71495e002821f5de0c2cdd4fdbf60e56d2c9cfd1c1ef0917d5480655d

SHA512
a84765de461473318e5e0fae63d090354d0fadc545ffff5ae176feac1f738b805dceee029e9278b412409437d3aabe1c1f7af99706b4f88510a16f9161d1ed36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5818d2.TMP

Filesize
1KB

MD5
dbf4173749de96c2cbe8f04feca95c77

SHA1
560bc44a31b2f635a61f3b5855a3d14d66b8e759

SHA256
fd4cc4e31b4f873aa922a9d6c9a81a123fa970f47aad6d7f2cba6a52f8a7ad12

SHA512
21e4697d9784fab8cf7bdb33515e330f5a258e03b8fba22b38fc379e31abc16b16e9596ac64defd347f85a5d5103da15c077fac45e2421cef4a78dbb64bbac35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\aa3f6c13-9957-4679-b1d1-d8e973eb6466.tmp

Filesize
496B

MD5
30322550d9f9c54f345ea1c71f3b2e8f

SHA1
b5a3cff2995147279c2bbed7c03b2280ecb286e5

SHA256
4e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9

SHA512
261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0470ee22ed856bcb728c1d830ee11b7d

SHA1
39a6d74936b2d4b0804bb4ae5c641e0da8734d1c

SHA256
6774d0ff3a793d311de7fea8b4cc9210ef0b5a45452e6c9cc4edaad99370fc11

SHA512
9fb5a2c9a7c6d2ee6ce5bd325b24e7775cc08181cf092e8336e3f2a1ede7c2b31d16194d9587836799adfd0f90bbdea51418c1ea292e135c7db83a7d00a4bd9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6b5f85d9e72e49a1be34dcf2ba1e344d

SHA1
b19f9fa6be80b99d745f0f2f64a6a303f4d3f32e

SHA256
8cef16d05653338fabb34528aa898534c47cacb1b13245f9d476d76e518fcbe6

SHA512
421a4cfd49c465dc186e849f2638a76756d5238e8fae8193ba4826d978a1d0049d1ca264e3318f7d19cb13c509173cbbccf09110deb3f639ef8e8347794e84d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70c946a3e357af208eb2dc8cc2b7ae55

SHA1
2bee4a4eb8b40064798bcf9e54e47635570be035

SHA256
712686599e7c5b2de125997f19d2fc3310aaa09b70644739fcd5c06d57f33a70

SHA512
d2eea1b6605118e68d798ba4a8c92e09345497da5436d1b44751b208b3da46a91728cbbe664cf914cc0e1bbf0a438466cdf0cd9c2998178e749a05e9febfdcb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bac5342951f9546a801d7111127a1346

SHA1
c9fb7684d26a69297078a1a395c9e82bc74dc2a3

SHA256
7849162c9be8e4e0fccce37db09a51d533f78521483738a0be31ee1309587f27

SHA512
ccdd4135f6989d3753fe6f73396ee3bf15bd791859a0a3ed41f400a65d2f9ef619398b786cbf85df51530cf7eeb453987b137cf6b1f3b59035657143f65b221c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
84788493150dbb551f6f2c3ff23bf4cb

SHA1
671d4c3701bc9655864f7f87848f978a9e8aeb24

SHA256
471a41067ed88cc6d0bf5f1c7b658d2e540c6a786c29dc62b820f80cb05fe5f9

SHA512
5c82fbf2c08ba32879f64adbb719fdb6dbd878b8ac6e61d916fe90cee18ab5f7d7aa0edbff85513084a6ccac3b24c9b6d1392549d5313501d5af1be67df34f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\181.215.176.83\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
28689ecdc56f51f3d6d7bfd12e4c1622

SHA1
d41eb630111c6a310f43a6209047ad043dedfb0a

SHA256
670d030e8e264a20c51b5b6a8e555fcb2e675a25ee49a6af3f0b80a48c418a9a

SHA512
173094c22c76f84d88f5bb7552ba418a3ae336213a98c6bf60c571f7325a95da02a2500745dd4e35b803db8badacb1be4a73f475f6ccd9e5693af0190c7b3147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1ab8aacb13e6ea285e57c9c0d282c7a2

SHA1
2e1a28b6aeb013254c07d36386df9fd3a59c1090

SHA256
d14fc2a6ba5d5180df8d1a461211e646ae4aec333d561153abadff702da74c5d

SHA512
5a58d5671bbbfe49cc259dd00eb8ba7e925e5a6ca1f0dcdf2ef20bccbf5a07653d1a2be10e511f5852530902ad1e36cf2a9ade8f51c20dcde8d65b45224bfa9c

Download Submit
C:\Users\Admin\Desktop\Release\Build.exe

Filesize
123KB

MD5
3a8cc2b050b0a00546f46ddd02107183

SHA1
7f8a396d1ccd8f17f3696a8ebf8e585b38aec3ea

SHA256
7858dc341b6b1b1de490c4e294d6766425621b0acd1623d5bdc9e9e97d129f53

SHA512
58edc3b6dc97d7d5aed58e058ab3ae1f3dfa41afb34a04a4a7a4f34d013178f3fb24f5dbb39c972a6e3b11436ad9bbb39cb2de32c4ca6597c0605597dbd458c1

Download Submit
C:\Users\Admin\Desktop\Release\Stub\DestinyClient.exe

Filesize
124KB

MD5
18a330c0c46815c227282a7904934490

SHA1
f3cfb765a2dabbf2b8387c345116de9d6fa32583

SHA256
037cbf74f9c74780a84978646ae71eb7cf1c1324b7dff7828a92383d17896f4a

SHA512
b27e92d34126c3007875c80d05287a153c15fca763a93ac133a1fe3d280b7da9a66a055770205233c60a857c9d867bdb4b5214bebdf85d6ca9c507aa14ae7692

Download Submit
C:\Users\Admin\Desktop\Release\ZeroTrace Stealer.exe.config

Filesize
2KB

MD5
d2d76798243e9d787f0217f76250dd1c

SHA1
be724195268ef37a3e4973b58e8911bcebad3723

SHA256
d5ad1a012e509966ae8f23373aa9b40a82632ed59e32450e24b0d61d5aa5136f

SHA512
23aa51d74127c8a55141b45b177fbfa4cea0fe943de94641c34d7862c109193862426953755392516aa71ea522156457e89e2da9aa3eda7f6b9b8ff386c812bc

Download Submit
C:\Users\Admin\Downloads\ZeroTrace-Crypter.exe

Filesize
7KB

MD5
7fb0a21da09afe693de4d3241dae434c

SHA1
712829512700637dc7e0bfb67c92998eca5ab9ef

SHA256
ca3aaf12f6ad7c674c8954becdadd54006e6a90985d244bfd13ece453ea6cea9

SHA512
b5ca2dbc5425bfd9dd4d3937780235121ae47a9491c09bf3c8e4a126ecee5fef8b9c4126cf8348f3859db662e6f3e6776feb94437c46be317b33ab9dbc15d42e

Download Submit
memory/5164-773-0x0000000000D50000-0x0000000000D76000-memory.dmp

Filesize
152KB

Download
memory/5164-774-0x0000000005700000-0x00000000058C2000-memory.dmp

Filesize
1.8MB

Download
memory/5164-775-0x0000000007060000-0x00000000070C6000-memory.dmp

Filesize
408KB

Download
memory/5320-310-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/5320-311-0x0000000005C80000-0x0000000006226000-memory.dmp

Filesize
5.6MB

Download
memory/5320-312-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/5440-314-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/5456-741-0x0000000017890000-0x0000000018E26000-memory.dmp

Filesize
21.6MB

Download
memory/5456-737-0x0000000013500000-0x0000000014894000-memory.dmp

Filesize
19.6MB

Download
memory/5456-736-0x000000000D980000-0x000000000E03C000-memory.dmp

Filesize
6.7MB

Download
memory/5456-735-0x0000000000770000-0x0000000006390000-memory.dmp

Filesize
92.1MB

Download
memory/5456-738-0x000000000C980000-0x000000000CEF6000-memory.dmp

Filesize
5.5MB

Download
memory/5456-739-0x000000000CF00000-0x000000000D6FA000-memory.dmp

Filesize
8.0MB

Download
memory/5456-740-0x000000000AFF0000-0x000000000B10A000-memory.dmp

Filesize
1.1MB

Download
memory/5456-742-0x000000000B980000-0x000000000BA80000-memory.dmp

Filesize
1024KB

Download
memory/5456-758-0x000000000ACC0000-0x000000000AD20000-memory.dmp

Filesize
384KB

Download
memory/5456-753-0x000000000F610000-0x000000000F630000-memory.dmp

Filesize
128KB

Download
memory/5456-752-0x000000000FA40000-0x000000000FF6C000-memory.dmp

Filesize
5.2MB

Download