gurcu | hxxps://mega[.]nz/file/o71QDABR#TFT8_ehMtP2w4W8lBDajOedTlWTsBmYYRPBks7KYp5s

Analysis

max time kernel
222s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/o71QDABR#TFT8_ehMtP2w4W8lBDajOedTlWTsBmYYRPBks7KYp5s

Score

10^/10

gurcu xworm discovery execution persistence pyinstaller rat stealer trojan

Malware Config

Extracted

Family

xworm

posts-vessel.gl.at.ply.gg:36177

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7242122864:AAFBsG5SAGw_Flfuys74YhEnKLTVdPESOnc

Extracted

Family

gurcu

https://api.telegram.org/bot7242122864:AAFBsG5SAGw_Flfuys74YhEnKLTVdPESOnc/sendMessage?chat_id=6229207397%20

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023d73-749.dat	family_xworm
behavioral1/memory/2380-756-0x0000000000F70000-0x0000000000F86000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6132	powershell.exe
5132	powershell.exe
4164	powershell.exe
5480	powershell.exe
5880	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
147	816	msedge.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	CODEX17-V2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	CODEX17.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Update Discord.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe	CODEX17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe	CODEX17.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord lnc.lnk	Update Discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord lnc.lnk	Update Discord.exe

Executes dropped EXE 7 IoCs

pid	Process
1016	winrar-x64-710b3.exe
468	winrar-x64-710b3.exe
3016	CODEX17-V2.exe
5548	CODEX17.exe
5020	CODEX17-V2.exe
2708	CODEX17-V2.exe
2380	Update Discord.exe

Loads dropped DLL 29 IoCs

pid	Process
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe
2708	CODEX17-V2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Discord = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Update Discord.exe"	CODEX17.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
171	discord.com
177	discord.com
185	discord.com
197	discord.com
212	discord.com
215	discord.com
226	discord.com
261	discord.com
186	discord.com
198	discord.com
213	discord.com
252	discord.com
259	discord.com
274	discord.com
190	discord.com
209	discord.com
211	discord.com
214	discord.com
183	discord.com
184	discord.com
188	discord.com
210	discord.com
216	discord.com
251	discord.com
255	discord.com
257	discord.com
262	discord.com
266	discord.com
267	discord.com
268	discord.com
272	discord.com
237	discord.com
260	discord.com
182	discord.com
192	discord.com
202	discord.com
206	discord.com
236	discord.com
240	discord.com
244	discord.com
172	discord.com
193	discord.com
233	discord.com
245	discord.com
269	discord.com
273	discord.com
181	discord.com
208	discord.com
230	discord.com
235	discord.com
191	discord.com
201	discord.com
220	discord.com
222	discord.com
228	discord.com
217	discord.com
218	discord.com
223	discord.com
227	discord.com
231	discord.com
246	discord.com
200	discord.com
203	discord.com
225	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000200000001e7da-627.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CODEX17-V2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 140799.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
628	vlc.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
216	msedge.exe
216	msedge.exe
2268	identity_helper.exe
2268	identity_helper.exe
1740	msedge.exe
1740	msedge.exe
5760	msedge.exe
5760	msedge.exe
6048	msedge.exe
6048	msedge.exe
6048	msedge.exe
6048	msedge.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe
5880	powershell.exe
5880	powershell.exe
5880	powershell.exe
6132	powershell.exe
6132	powershell.exe
6132	powershell.exe
5132	powershell.exe
5132	powershell.exe
5132	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5180	OpenWith.exe
2096	OpenWith.exe
628	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	4364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4364	AUDIODG.EXE
Token: SeRestorePrivilege	5148	7zG.exe
Token: 35	5148	7zG.exe
Token: SeSecurityPrivilege	5148	7zG.exe
Token: SeSecurityPrivilege	5148	7zG.exe
Token: SeDebugPrivilege	5548	CODEX17.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	2380	Update Discord.exe
Token: SeDebugPrivilege	5880	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	2380	Update Discord.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
5148	7zG.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe
628	vlc.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
5180	OpenWith.exe
1016	winrar-x64-710b3.exe
1016	winrar-x64-710b3.exe
1016	winrar-x64-710b3.exe
468	winrar-x64-710b3.exe
468	winrar-x64-710b3.exe
468	winrar-x64-710b3.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
628	vlc.exe
3016	CODEX17-V2.exe
5020	CODEX17-V2.exe
2708	CODEX17-V2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2784	216	msedge.exe	84
PID 216 wrote to memory of 2784	216	msedge.exe	84
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 3152	216	msedge.exe	85
PID 216 wrote to memory of 816	216	msedge.exe	86
PID 216 wrote to memory of 816	216	msedge.exe	86
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87
PID 216 wrote to memory of 1100	216	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/o71QDABR#TFT8_ehMtP2w4W8lBDajOedTlWTsBmYYRPBks7KYp5s
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbcb646f8,0x7ffbbcb64708,0x7ffbbcb64718
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Users\Admin\Downloads\winrar-x64-710b3.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1016
- C:\Users\Admin\Downloads\winrar-x64-710b3.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5022412367877616622,13534732646642590675,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6184 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5520

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9e1cbe5dd586450f82e1df5e7e69847f /t 536 /p 468
1⤵
PID:4628

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6911d6e235b44603828419103217557f /t 3196 /p 1016
1⤵
PID:2668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2096
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CODEX17-V2.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:628

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21665:82:7zEvent18283
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5148

C:\Users\Admin\Downloads\CODEX17-V2.exe
"C:\Users\Admin\Downloads\CODEX17-V2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
- C:\Users\Admin\AppData\Local\Temp\CODEX17.exe
  "C:\Users\Admin\AppData\Local\Temp\CODEX17.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\CODEX17-V2.exe
    "C:\Users\Admin\AppData\Local\Temp\CODEX17-V2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\CODEX17-V2.exe
      "C:\Users\Admin\AppData\Local\Temp\CODEX17-V2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5480
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update Discord.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update Discord lnc.'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update Discord lnc.'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d8903c40cb5b9bb0527fb54175b14b69

SHA1
3a4c0e12dda7b40d0cb1eaf86e74bc7cc04eba6f

SHA256
29b315889d343dc4ea575338a94cb56315acaa92bf780a306b375a9b7a9df178

SHA512
8ed3c83ca95232e51b70d36b428f20675117e04c7ad3fb808c687e57acda38bb53d0d9a6217c6097eb3ad95b0da30d89c330df6e6e268ad8cd2dc7ab51eadcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
adf9519506e8ec1e6b9624ec2fdb9d22

SHA1
63f9dfa44d3c85ab56e695bef9cdd368532c18d0

SHA256
8014583d67c6b1f4cbdff98f475b9b03f703314837859d6bdd68892b93cf3ea5

SHA512
a12dce9e2201b58521e99dad7dd03c5b9e0ed03fed08e98b30e520f03a974835d268546882906138ffc4fb3f93cc0730f094b0a1decc289bb63a2aef79f974e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fcf9f824960100b0eba4af0bd0e532b6

SHA1
d729588a1136bc51e0367185f21b8b912238de2e

SHA256
31e7d8ae7c30f840c9e9c513f68fd3acf39fb5ca487ec6081b81068df61cc53e

SHA512
c6ce5c1fbe6b7873e2532e8b714f632c350a179350ff142fd6e4f61836584a3defa49653f78d36b041337d084b5cfe50922539376ed274015b58ce0ac3c5b418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
775163639e92418f562c0f1464f8a1a6

SHA1
1cb22f9e31981561c5e057ea106bae7f321d434b

SHA256
f18406cab2005ab54803f097016eb188f2c768ac3c8d2ab297fd6e4061bf153b

SHA512
f79ae2e223b1fb3b92cb8d41e740efa1859e8faeb60bbe0de7e0d4b628691dfd725812adff2e1b87588a20ea8315986ea4d0f5269f67f3376fe73627c327a786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a307f29ea2bced9e55677702f65bd330

SHA1
349de8ca781aa918b36985d634540509dfc2126e

SHA256
a8eb04c5b9f37f0bd759f143a552c587c1f2218355b290e5b33594979b45a8ef

SHA512
d64c4a9b87f9dd97533300c7449b558ca44f0e53a70920c94b0101986dff67f38c730a2698ab76a94c88866fea08196e0358b386d4067b39d8a278aa9115ddcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cdc8b243863bc8a2614edac9512e9e02

SHA1
31666ee8df9423f13f9f88807d2f5fb7f5f69543

SHA256
1659e709a2ae6b40976c74a42d8af36663eb986a985776e347ebc21e2b09f23b

SHA512
14f0b6a4ca8b3c8ef310ae37d9e6e5f3edb82a685e48b15433e451c56889a57eab109e80b71d4695662d92096a9b4bb22bd86ef7fd234063b795fcac02293d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e73b00688941a57ab160efaf3ee8f4ba

SHA1
b0ae508ece0b29752326ecd85fdfa1d3a45095a7

SHA256
128630e9266f916c300bc6a510ffd2e0f252949681269170933bed18c7227275

SHA512
ae488b8394ee292174d035e53cd90574e951f51da077623916a2aeddb866d69e99d1787f966c351d4933de8097170549c65db6eb1aedcee343725f78c71f030c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dec88670c68ae22a8cf62c51b37bc198

SHA1
c68aaa830e136873d8ebfb4d730031d6d830a793

SHA256
1b5e5cd72aca634a7e439449f6c63e214485f0355812ac657eb26f991ac90840

SHA512
55ea4f7891429ce0bc7c6debe0ce3e5f7735ba57794b65fcf42f426121792f17f8f37f7242fc0ba6aaf12eaf0903ef3c752df4bd9913966fe8e148d0728b73ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3bfb58a1378d79e00a64dfc33aa63bf1

SHA1
a4ddc0bfea08c06250ebd0ec71804139eec26f32

SHA256
c27785685e6e8e29f998574fb0acd3d0828d64d051ef38380c6672416bafde18

SHA512
3f964a1f9d24fa6009a747093265768e389cc0b1636a6aaf24a8e76666f0e413f569d4904ebbe158f5b6af44ccdc11f6d3ea4a5605d6bec7f54d59b35b0852b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
53e51e372628ea070383feba0555a319

SHA1
dedaba9af5c5840bd606500936fc51ee31c2f600

SHA256
8a175b7eade731abe1cbc1fc7fc98de69a119ac5374e1f4013e73b6dd14f35a1

SHA512
57181a523248eb722484b3e52e534efc9197174e19b11b3dfb2fcd5e7596871888caf7a51e4815c34afa4557a795fbd11aad2e738eda2fa33555fd478e0a19f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
59f0441da0f35304535fb9e3294ed8a3

SHA1
8d69b378dff8fa9bfd294d7310a760e90a86c7b3

SHA256
926334ebaf007bd52781e00d7937ea676ddc17d986d834f5f9d52a4d63323463

SHA512
e81220a6b7e135d3a306b94de6934fee4dd67825cbc8113aeb7f68f7c7ac6379d74458078df1b6ecd731c01571287e32711ff0d5ad97893bffda351bc7eea6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ccd5.TMP

Filesize
48B

MD5
04ffe3ee67ca407931efdc0a3c7e86e3

SHA1
6b8e5d359f21f8439ec5dd9ed7fbe74ba97a8960

SHA256
e761baad4b3c05c54de9e24a7667c9abc17068209a9e140f45305fd2e26f9053

SHA512
aae91217de0fa93c053e86aba312ebf4fb3c5174d9bc423ba57aa2352a2b9a65fe6ff925007ce9f28776d3e273f62f23a530665162df87fe2dd383240f07dc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1cef701da9dca18a7083ecee45ba2a17

SHA1
46b62132ca57c11efa712cf42c80456d6f4629a2

SHA256
5a24a88e55668766064d66671f2500e6edfbc69e4136a3a8bbd66dd0bb8f98d8

SHA512
18d069e3f33176f24e4292366d98c374aedebcb8e30c347daad7ca8b4a1350fd63c842d1e24e51c37f6179b88e6ea7e4d7563194cb3f965800b04c4e66d32782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2332bb18e99032b9725831c38c56c549

SHA1
296edd39ac49b596c2409d2c0ba546691908426a

SHA256
5762335f26c8d8cea19d17721c275f3bcc0e2d7f6514840accd3c43bcbf022a3

SHA512
f76f0db99961b05762167c39f8203b553cf6bcecb32a0e3c3f72b1fda6e8ffbf706a548453b3b4754bae3ac908f3a579ce901261dd1737a9384c2ef1120d7790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582b70.TMP

Filesize
203B

MD5
db91eccb460339629510122a42810d73

SHA1
0ba90c3966c12b8d3027f6f7780984438f38a2ba

SHA256
4cfd81dacb86ca80efad630e49c2dcc0661a11e81ff104252e1d82473cd8faa9

SHA512
6069a2ee66b1925e0f488ce161e6f802d48df21da1626d166c3ed0e342e88f4c6f878218fc24ac87df18a039ced9bef407cde30eb2202eb55f199ad22e83f12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
40c1d22a05e760958902a44ba997646a

SHA1
ffadf9294ed8fb3f7f516467621722b45a5e9f74

SHA256
8cb6d9c28c90c7922abbb49e2b3cb813710338a2f97c9a7388e23822a6d36f47

SHA512
f6cdd0f0183b1c448fbf8b8ccb848f0fdc8a1c7fa94ed0c91b90e1426a775035618a4849fb7af04f2a7eecaf3329a73e88602403345d81c6b076bee595cb7c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63392ffc3e99836b3e5aefec0e16fba1

SHA1
a84c3309af02c1001451c3c17892f676c3840d9f

SHA256
682dc709cd31924eb8bc7bfb3d18e2c9a2e4db617a8cfa660710ea4180821a47

SHA512
d7c160964486b939815823bf52e91a3ec8d8f08a66cae82afa0881178592d155e5e12c8bafe9c34f4a56e5f134fc06ab0bf22d77bc30031a59d0cbe8a5f0d819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bb6818e6be680e2377658dc8baa09230

SHA1
1b8dc3b247668f1e5bcc5b7deed96d955c53ed5f

SHA256
7af7d4a1767b644bb83a0b4ab0b03f540dffa562f8cd4c669b1af9ae4ed0a7ec

SHA512
51a1141ffc9fb683121bef12853dcd3f1a235d5a3c4b18fcd4c5a2a0d9c978e933b3cb4abaca4faa1d1035189350693b068214777338b3f3c56ab6f86dceb4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CODEX17-V2.exe

Filesize
10.3MB

MD5
d00ba471c6d2d477f1d4658762361484

SHA1
aaeb050871f63d664ea7a032e497e8061ee6c12e

SHA256
5b05cbc0695a7fe7c036028a943a6255984f257d2b21d4b3bcad2f8fd98085ed

SHA512
ed5c6871ac5c47601bb3613cfdb5dc1350d4c9158dd33c01512b8c5693aab562acc24adc59e74ffd64b38581d945434ad449a3357367664f19f4333a28fd46df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CODEX17.exe

Filesize
10.2MB

MD5
a8a3d271a0d0b2b8641d6ac4308d1568

SHA1
9d450f043cbf6973b4e18f6ded5c9ab1292e5758

SHA256
1ee99baf3c41446a375a1f3cacaa00675e5e812b52e81436a743c65ff5f91a95

SHA512
41085e28f4b1f0271c2e428db4a056fbee836986cb5aadfbdab352352e2f6e15db726cb431dd8a25b239a7187c427e1b715af3eaf7425019a2c8092849afd157

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50202\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1o5dmema.krt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Discord.exe

Filesize
64KB

MD5
129ac3ae3d01eb4d42554ad267a7a460

SHA1
f902bfedf81f6503c462d82241b1b5aa7e210b2b

SHA256
b12ff2ceeccfc6e9af63ccaf671e486ba75d75ad18b02444a6527029e1b213d6

SHA512
bbfd191e0dea341f3ab08a0860e28fc2cd80141703f5aae4c4acc3da3a74fa2ad470854d69b0d052fb9ac9a818d2a24c01e5f05e5a88d01bc4f873b6945267ba

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
78B

MD5
87fc42c9fbce5d8f2d29fbb5c9965fb8

SHA1
4e387ae133738c819129c4bd3e620f05ea2d1a0c

SHA256
1c671735dd0111aa6098c0df9232fd203d1dc4182f3d3313725256b230504efa

SHA512
4f98bcc20d8ed7b3ffc74f2144599a921dbc20a3a4dc8d4f3366a1af3ea62ca0b6a56078bd061d3ab44363faa22f2282ff26c71c216d1229ddcd5c93e1187a98

Download Submit
C:\Users\Admin\Downloads\CODEX17-V2.exe

Filesize
10.4MB

MD5
463e7eec25de14b755b714134d2813f3

SHA1
641311c881e2a589fe2f258396dcd0e91ae9ef07

SHA256
5fc7513bb1fd2382bae5a9184a5f53b23456d5a346fe0a2f8e31c153c5227231

SHA512
a9d314716fac3a7b92a7f67cba0832884977d85f4b8d26c11e2f9c1382ade4fd507c6db6ab5ff73893d75b12c796282f4f7e67f16b096cbded9b1b46f4deb0cb

Download Submit
C:\Users\Admin\Downloads\CODEX17-V2.rar

Filesize
10.1MB

MD5
d77a713043983bd872dc1cb533411426

SHA1
dcfa94f4216dd68f2a89d1523de5350f8c1d5813

SHA256
69fca6e9e574889360f330ff27648a2ed134bc959f13a89fd28b6e203a8ce04d

SHA512
76801b95a47604b2dcf4795ca80f2180455ebdf32ba92e769739c8c1bb0b5b20f49f0dd150eb974473bfb732210a7d023427c72d614272a8919c638576a76e4b

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710b3.exe

Filesize
3.6MB

MD5
031ca716685041cc9958b5f12cde98d3

SHA1
560cad649fac90beaf034fa4862c45dacca4bbb8

SHA256
b9657c8bfbb0137b3418ad0d707344b435105979d8c9e06f16c926b9de49dc0f

SHA512
ed83eeaa59a5a67e64a89b17273f9787797eced09e6c14d19e87c4f78f5d5b870ea3fad254fcebfeea1db4b04c758c67c9b5c331be514abbefd78f011fe6c18d

Download Submit
memory/628-589-0x00007FFBB9CE0000-0x00007FFBB9EEB000-memory.dmp

Filesize
2.0MB

Download
memory/628-588-0x00007FFBC2260000-0x00007FFBC2271000-memory.dmp

Filesize
68KB

Download
memory/628-582-0x00007FFBC43D0000-0x00007FFBC43E8000-memory.dmp

Filesize
96KB

Download
memory/628-583-0x00007FFBC43B0000-0x00007FFBC43C7000-memory.dmp

Filesize
92KB

Download
memory/628-584-0x00007FFBC4390000-0x00007FFBC43A1000-memory.dmp

Filesize
68KB

Download
memory/628-598-0x000002788E0C0000-0x000002788F170000-memory.dmp

Filesize
16.7MB

Download
memory/628-573-0x00007FF6BC360000-0x00007FF6BC458000-memory.dmp

Filesize
992KB

Download
memory/628-592-0x00007FFBC2210000-0x00007FFBC2251000-memory.dmp

Filesize
260KB

Download
memory/628-596-0x00007FFBBCE70000-0x00007FFBBCE91000-memory.dmp

Filesize
132KB

Download
memory/628-597-0x00007FFBC21D0000-0x00007FFBC21E8000-memory.dmp

Filesize
96KB

Download
memory/628-581-0x00007FFBAC490000-0x00007FFBAC746000-memory.dmp

Filesize
2.7MB

Download
memory/628-601-0x00007FFBAC490000-0x00007FFBAC746000-memory.dmp

Filesize
2.7MB

Download
memory/628-599-0x00007FF6BC360000-0x00007FF6BC458000-memory.dmp

Filesize
992KB

Download
memory/628-600-0x00007FFBC43F0000-0x00007FFBC4424000-memory.dmp

Filesize
208KB

Download
memory/628-586-0x00007FFBC22A0000-0x00007FFBC22B1000-memory.dmp

Filesize
68KB

Download
memory/628-587-0x00007FFBC2280000-0x00007FFBC229D000-memory.dmp

Filesize
116KB

Download
memory/628-580-0x00007FFBC43F0000-0x00007FFBC4424000-memory.dmp

Filesize
208KB

Download
memory/628-585-0x00007FFBC2BB0000-0x00007FFBC2BC7000-memory.dmp

Filesize
92KB

Download
memory/2380-756-0x0000000000F70000-0x0000000000F86000-memory.dmp

Filesize
88KB

Download
memory/5480-712-0x0000020279530000-0x0000020279552000-memory.dmp

Filesize
136KB

Download
memory/5548-622-0x0000000000010000-0x0000000000A42000-memory.dmp

Filesize
10.2MB

Download