Analysis
-
max time kernel
81s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 00:38
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1233411619078279248/1234166922568929280/CatalystInDev_0.1.zip?ex=664e1184&is=664cc004&hm=ec83d824e06fd1f0661a9a56a855348cc2d266cfc77cf91d21894df10a8b9b90&
Resource
win10v2004-20240508-en
General
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Catalyst.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Catalyst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Catalyst.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Catalyst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Catalyst.exe -
Executes dropped EXE 2 IoCs
Processes:
Catalyst.exeCatalyst_InDev0.1.exepid process 5452 Catalyst.exe 5684 Catalyst_InDev0.1.exe -
Loads dropped DLL 20 IoCs
Processes:
Catalyst_InDev0.1.exepid process 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe themida behavioral1/memory/5452-102-0x00007FF619150000-0x00007FF61A51F000-memory.dmp themida behavioral1/memory/5452-103-0x00007FF619150000-0x00007FF61A51F000-memory.dmp themida behavioral1/memory/5452-104-0x00007FF619150000-0x00007FF61A51F000-memory.dmp themida behavioral1/memory/5452-183-0x00007FF619150000-0x00007FF61A51F000-memory.dmp themida -
Processes:
Catalyst.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Catalyst.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 55 raw.githubusercontent.com 56 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Catalyst.exepid process 5452 Catalyst.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeCatalyst_InDev0.1.exepid process 1108 msedge.exe 1108 msedge.exe 4696 msedge.exe 4696 msedge.exe 4168 identity_helper.exe 4168 identity_helper.exe 4388 msedge.exe 4388 msedge.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe 5684 Catalyst_InDev0.1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zG.exeCatalyst_InDev0.1.exedescription pid process Token: SeRestorePrivilege 5244 7zG.exe Token: 35 5244 7zG.exe Token: SeSecurityPrivilege 5244 7zG.exe Token: SeSecurityPrivilege 5244 7zG.exe Token: SeDebugPrivilege 5684 Catalyst_InDev0.1.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exe7zG.exepid process 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 5244 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4696 wrote to memory of 2252 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2252 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1480 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1108 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 1108 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe PID 4696 wrote to memory of 2352 4696 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1233411619078279248/1234166922568929280/CatalystInDev_0.1.zip?ex=664e1184&is=664cc004&hm=ec83d824e06fd1f0661a9a56a855348cc2d266cfc77cf91d21894df10a8b9b90&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6b7d46f8,0x7ffd6b7d4708,0x7ffd6b7d47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CatalystInDev_0.1\" -ad -an -ai#7zMap1796:96:7zEvent97221⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe"C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\Catalyst_InDev0.1.exe"C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f448ec43c87c44f1108069ab88951252
SHA168995b3c24243afcaced32c9fb66c1683a8d0701
SHA256f41c783f1390eff699667ecd0bb7e9e1389ea214dd76bcfbeb32c13c7675212b
SHA512dbda74c31c0cec8148c8313e811016a4cbdd51faadfefef5c7456dd6a84aa824ad6b36644eb370ce0710cff4b6b53fc17ea795423191eb062061c26e2d62df6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58c444d18e444074c5851c258a97c577a
SHA10a608b0b4f7a0617d469138d4151c0928d301515
SHA2565df1a1c1c1b0b52990758bf4531d9d5283c50b6e04aae1342fb836764dafae7a
SHA51216cb78741c8934373f9f51240f120a74de79aa8a3853b5e51122b023e1d23ee0a878a0a9bc5f38cab49aba7b088859b59ae3cd4894f237bfb242fd069488c02d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57a1bc810649c62ed46f790eb7c483719
SHA13239cd59000ebfe7acdea9fed19e4de9e9944955
SHA2566b589a9547b3f4e9f9637e4cbf610679a42e6cd02448045811c0baf3ba368fa9
SHA512b4375a53b685f99f84ecd96884498a9a3f3b2dcd55615f6accb5e1588c122a07202cd6861049d7bf423c932d02c00311f8bc28fca949e1869ea5eb7b12adcfa5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD575f347ed6f8885f23fb064f44b1370b3
SHA1d94de3d1bcb78221b4eae0dffd4c8ac58cd6673a
SHA256e181b47e06d9ad34367faa78c5f285b65f2d98eaacc088d3e4a445954d810ff2
SHA512fd0bf295e498a5493be29f93b8b40ab7559b081d55e5df03b57481c3e9f4d339ea27bb73fb0ea43001cd705e38f82b96f62f8e66687bf1991b6580ac6e2165c6
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pydFilesize
81KB
MD54101128e19134a4733028cfaafc2f3bb
SHA166c18b0406201c3cfbba6e239ab9ee3dbb3be07d
SHA2565843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80
SHA5124f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pydFilesize
120KB
MD56a9ca97c039d9bbb7abf40b53c851198
SHA101bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pydFilesize
62KB
MD5de4d104ea13b70c093b07219d2eff6cb
SHA183daf591c049f977879e5114c5fea9bbbfa0ad7b
SHA25639bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e
SHA512567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pydFilesize
154KB
MD5337b0e65a856568778e25660f77bc80a
SHA14d9e921feaee5fa70181eba99054ffa7b6c9bb3f
SHA256613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a
SHA51219e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pydFilesize
76KB
MD58140bdc5803a4893509f0e39b67158ce
SHA1653cc1c82ba6240b0186623724aec3287e9bc232
SHA25639715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pydFilesize
155KB
MD5069bccc9f31f57616e88c92650589bdd
SHA1050fc5ccd92af4fbb3047be40202d062f9958e57
SHA256cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32
SHA5120e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pemFilesize
285KB
MD5d3e74c9d33719c8ab162baa4ae743b27
SHA1ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b
SHA2567a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92
SHA512e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pydFilesize
116KB
MD59ea8098d31adb0f9d928759bdca39819
SHA1e309c85c1c8e6ce049eea1f39bee654b9f98d7c5
SHA2563d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753
SHA51286af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dllFilesize
3.3MB
MD56f4b8eb45a965372156086201207c81f
SHA18278f9539463f0a45009287f0516098cb7a15406
SHA256976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA5122c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dllFilesize
34KB
MD532d36d2b0719db2b739af803c5e1c2f5
SHA1023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dllFilesize
686KB
MD58769adafca3a6fc6ef26f01fd31afa84
SHA138baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA2562aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pydFilesize
65KB
MD53cba71b6bc59c26518dc865241add80a
SHA17e9c609790b1de110328bbbcbb4cd09b7150e5bd
SHA256e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996
SHA5123ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pydFilesize
512KB
MD5dc08f04c9e03452764b4e228fc38c60b
SHA1317bcc3f9c81e2fc81c86d5a24c59269a77e3824
SHA256b990efbda8a50c49cd7fde5894f3c8f3715cb850f8cc4c10bc03fd92e310260f
SHA512fbc24dd36af658cece54be14c1118af5fda4e7c5b99d22f99690a1fd625cc0e8aa41fd9accd1c74bb4b03d494b6c3571b24f2ee423aaae9a5ad50adc583c52f7
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\Catalyst_InDev0.1.exeFilesize
18.9MB
MD5a741156268d6ab6453764be886311f4f
SHA13bb0602428b38ffbc87d3862f690a3bbdae8f8ce
SHA256d4a362825a355126eafd5fba2795722948bb6215456415d9ae9ef05f09c2cb6c
SHA51248cd06115b888f47c20bbeaed584a2c9f61b12e3cef5f61f3165f3dfa92b580f9992c70608c1224024c3379437366fa54404096ea3ab37cfca79a81bb8fb4a98
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\_queue.pydFilesize
30KB
MD5ff8300999335c939fcce94f2e7f039c0
SHA14ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a
SHA2562f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78
SHA512f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\charset_normalizer\md.pydFilesize
10KB
MD5723ec2e1404ae1047c3ef860b9840c29
SHA18fc869b92863fb6d2758019dd01edbef2a9a100a
SHA256790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94
SHA5122e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\python3.dllFilesize
64KB
MD534e49bb1dfddf6037f0001d9aefe7d61
SHA1a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA2564055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\python311.dllFilesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\select.pydFilesize
28KB
MD597ee623f1217a7b4b7de5769b7b665d6
SHA195b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA2560046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA51220edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f
-
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\unicodedata.pydFilesize
1.1MB
MD5bc58eb17a9c2e48e97a12174818d969d
SHA111949ebc05d24ab39d86193b6b6fcff3e4733cfd
SHA256ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa
SHA5124aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c
-
C:\Users\Admin\Downloads\CatalystInDev_0.1.zipFilesize
14.4MB
MD56b112c76ce355029b96e313a95a24d68
SHA197a99cce899342920f27b7eb05aab4f119ae25e9
SHA256d001c2b60e136d3805c2d86802158d3219d4f3952436e19191690d88fb39f638
SHA5124071a0f923bf1283f4e694e7aacdd69f6fa075c6904dc2ccef0c31977f694468ed0beea024d3d14d4c1b5779141ac2a88727c837ad1370cb395d0f5eff2081af
-
C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exeFilesize
14.0MB
MD5b765109a6a7d339473b61ab9a759aa0e
SHA1ade52ded8366094eee9d2a5827bfe45b3b7a977b
SHA256b5e63f3bbfc75de4da25277b7a9fa0b650e8e2bc72c2af0087bd09698a9d098d
SHA512ff813e628761d8ac3ee433fcf40dfaac26dd25ae7ac5ce1680c851e4dc9c69398590007043e2eebe5da0e407c917320cea46782bed072ed72f7d3826f868292d
-
\??\pipe\LOCAL\crashpad_4696_UFTNBCUVCHSYGLHDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5452-102-0x00007FF619150000-0x00007FF61A51F000-memory.dmpFilesize
19.8MB
-
memory/5452-103-0x00007FF619150000-0x00007FF61A51F000-memory.dmpFilesize
19.8MB
-
memory/5452-183-0x00007FF619150000-0x00007FF61A51F000-memory.dmpFilesize
19.8MB
-
memory/5452-104-0x00007FF619150000-0x00007FF61A51F000-memory.dmpFilesize
19.8MB
-
memory/5684-184-0x00007FF648DC0000-0x00007FF64A0F2000-memory.dmpFilesize
19.2MB
-
memory/5684-220-0x00007FF648DC0000-0x00007FF64A0F2000-memory.dmpFilesize
19.2MB