eternity | hxxps://github[.]com/FrozenGT/Growtopia-CID-Creator-v4/releases/download/latest/Growtopia[.]CID[.]Creator[.]v4[.]zip

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/FrozenGT/Growtopia-CID-Creator-v4/releases/download/latest/Growtopia.CID.Creator.v4.zip

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2036-237-0x0000000000F20000-0x000000000100C000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CID Creator v4.1.exe	CID Creator v4.1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CID Creator v4.1.exe	CID Creator v4.1.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	dcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
372	2036	WerFault.exe	122

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
672	msedge.exe
672	msedge.exe
3176	identity_helper.exe
3176	identity_helper.exe
4400	msedge.exe
4400	msedge.exe
2036	msedge.exe
2036	msedge.exe
2036	msedge.exe
2036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	CID Creator v4.1.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe
672	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 5008	672	msedge.exe	36
PID 672 wrote to memory of 5008	672	msedge.exe	36
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2372	672	msedge.exe	87
PID 672 wrote to memory of 2724	672	msedge.exe	86
PID 672 wrote to memory of 2724	672	msedge.exe	86
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88
PID 672 wrote to memory of 1108	672	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/FrozenGT/Growtopia-CID-Creator-v4/releases/download/latest/Growtopia.CID.Creator.v4.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c20a46f8,0x7ff9c20a4708,0x7ff9c20a4718
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14490828688750678767,8742903563426484936,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3452 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\Temp1_Growtopia.CID.Creator.v4.zip\Growtopia CID Creator v4\CID Creator v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Growtopia.CID.Creator.v4.zip\Growtopia CID Creator v4\CID Creator v4.1.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2036
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2036 -s 1900
  2⤵
  - Program crash
  PID:372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2036 -ip 2036
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b950ebe404eda736e529f1b0a975e8db

SHA1
4d2c020f1aa70e2bcb666a2dd144d1f3588430b8

SHA256
bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4

SHA512
6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0d4a871cedba34c711c9c64a835daf3

SHA1
65f7c77b0d16e27aace92720f25c1ea030b423ad

SHA256
4dd42ecd1c8af035cd7fc9248b313c0c455d237fda680f9fd319d1573c2c1d3e

SHA512
d57fed2524b96829a770fd23583629923a4045383b5fb90a62b2db54b0e867e86cfba3094da35d25034435ff8f5e983a85d5d8f88609a09c79d0616f0db48788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0cc2ab98f9f36229e98a47b1492bb49f

SHA1
f452a2902ca164ebd5ba8870216f53e3acfc9c8e

SHA256
76ada48bf1435bda19f58c9a6f52fff6ba1f638a0b8b49d9c86921a80f05da8c

SHA512
bd87c1024073d7de7b54832e671624c7f3ecb3653447969f74867d558419c583249a060feccebb2ec6796ef549520be808c2ae6ad1d42ee561252840785d857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ca36933e6dea7aa507a272121b34fdbb

SHA1
3b4741ca0308b345de5ecf6c3565b1dbacb0fb86

SHA256
fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d

SHA512
5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f3eea93a54a94f9ec752f581f21883e9

SHA1
19239859c35f4cda71db2d83f57a05607861eea0

SHA256
0fbd57e0028f36ae591ba04120bb457ab85a3e5c8119fcc72a717e3ee5f21978

SHA512
7a726540168ef10f3dc821a034013863717c21c819621000c404aa24d1d191ab7b6999fba38e9b96801e6eec3b76de37c1abc90f42429ccd080c599d796be03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\Growtopia.CID.Creator.v4.zip

Filesize
1.3MB

MD5
225a4ed51ac8fca4f3dc039f51e36131

SHA1
f6d82cca12d3608cab3f4f392758d6e8388c7921

SHA256
b44df43cc08e995077427e907d31cc83410afe0b0d29ec1c85f0796413542e18

SHA512
2252978f9d31d0140bd9b51d2dd78406fd74126875cd9f8d560080d1d99fe3056ab0e2290bc45dae41c8dc086a8c133b36ae349d38024a8473ea6bfe6c68c543

Download Submit
memory/2036-240-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/2036-241-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/2036-242-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/2036-243-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/2036-239-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/2036-238-0x00007FF9ADC60000-0x00007FF9AE721000-memory.dmp

Filesize
10.8MB

Download
memory/2036-248-0x00007FF9ADC60000-0x00007FF9AE721000-memory.dmp

Filesize
10.8MB

Download
memory/2036-253-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/2036-254-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/2036-255-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/2036-276-0x00007FF9ADC60000-0x00007FF9AE721000-memory.dmp

Filesize
10.8MB

Download
memory/2036-237-0x0000000000F20000-0x000000000100C000-memory.dmp

Filesize
944KB

Download