bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.2MB
MD5

37e172be64b12f3207300d11b74656b8
SHA1

1895d7c4f785f92e48b5191fd812822593cbc73f
SHA256

bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
SHA512

98cf7a591beb4af2066ddd9d17caee69b3cbb42343cb4dc0d517fb99983159ae8e960c315030487b3ea22b2512359f108a6cfe15ec3b725c040ac06b877c88ff
SSDEEP

98304:pgBOLscYr9NrQO6lSdAd7qvlyBhbUhrZsTY3ycd8izlxGhzAqK3:KOoc+dQO6+Ad7qdriTYlfzlIhMt

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1574508946-349927670-1185736483-1000\{838D9ECE-D22C-41BE-AFC7-5A2F3955D2C1}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3800	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4980	AnyDesk.exe
4980	AnyDesk.exe
4980	AnyDesk.exe
4980	AnyDesk.exe
4980	AnyDesk.exe
4980	AnyDesk.exe
5152	msedge.exe
5152	msedge.exe
3008	msedge.exe
3008	msedge.exe
4540	msedge.exe
4540	msedge.exe
6648	identity_helper.exe
6648	identity_helper.exe
6216	msedge.exe
6216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	AnyDesk.exe
Token: 33	3792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3792	AUDIODG.EXE
Token: SeDebugPrivilege	5780	firefox.exe
Token: SeDebugPrivilege	5780	firefox.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
5780	firefox.exe
5780	firefox.exe
5780	firefox.exe
5780	firefox.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
3800	AnyDesk.exe
5780	firefox.exe
5780	firefox.exe
5780	firefox.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4544	AnyDesk.exe
4544	AnyDesk.exe
5780	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4980	2492	AnyDesk.exe	88
PID 2492 wrote to memory of 4980	2492	AnyDesk.exe	88
PID 2492 wrote to memory of 4980	2492	AnyDesk.exe	88
PID 2492 wrote to memory of 3800	2492	AnyDesk.exe	89
PID 2492 wrote to memory of 3800	2492	AnyDesk.exe	89
PID 2492 wrote to memory of 3800	2492	AnyDesk.exe	89
PID 1840 wrote to memory of 1584	1840	msedge.exe	112
PID 1840 wrote to memory of 1584	1840	msedge.exe	112
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5132	1840	msedge.exe	113
PID 1840 wrote to memory of 5152	1840	msedge.exe	114
PID 1840 wrote to memory of 5152	1840	msedge.exe	114
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115
PID 1840 wrote to memory of 5184	1840	msedge.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:4544
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault62b239e2hd479h45f8h959fhbc3bd6f03517
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffad00446f8,0x7ffad0044708,0x7ffad0044718
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17921705495541379237,1433168759019072256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17921705495541379237,1433168759019072256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17921705495541379237,1433168759019072256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:5184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.0.1913983087\140697893" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef865900-b640-4019-b287-fa86447aa084} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 1964 24de78ec958 gpu
    3⤵
    PID:5940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.1.1741443645\996135215" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5932df7c-5044-4521-9899-bd80334d8c3b} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 2368 24ddae72858 socket
    3⤵
    PID:6012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.2.2106186523\1669077905" -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3284 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74654a65-9f88-43c8-9c1f-99f118bbba93} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 3168 24deb8b0358 tab
    3⤵
    PID:5424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.3.2131187939\1598037619" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d3f93a6-e7af-4ab6-9882-1d28b4aa24ef} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 3592 24dec61c058 tab
    3⤵
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.4.879199994\633243438" -childID 3 -isForBrowser -prefsHandle 4652 -prefMapHandle 4648 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aff714d-29ff-4cd4-ac81-542362e3062e} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 4660 24dedc32a58 tab
    3⤵
    PID:3312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.6.967914736\1914215952" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f234d5b3-7b8e-4ab6-8cec-1d6574949b49} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 5176 24de9c87158 tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.7.767579261\1267169071" -childID 6 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c335e1e-57ef-4d02-9834-e43ec039f914} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 5364 24de9c88c58 tab
    3⤵
    PID:3584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5780.5.1076047208\820309522" -childID 4 -isForBrowser -prefsHandle 5032 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faeb81bd-b9c0-4257-87ab-7ad477324798} 5780 "\\.\pipe\gecko-crash-server-pipe.5780" 5052 24de9c88958 tab
    3⤵
    PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad00446f8,0x7ffad0044708,0x7ffad0044718
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:6384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:6376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
  2⤵
  PID:6632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:6196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:6508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:6492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:7156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:7164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17958258262175589496,2220866168775890998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f91c44b438c1a1cb37cb59a74384e54

SHA1
b657b8f752c8ef9eb00fe9699428c9dd4aaf73e5

SHA256
bc5fe0164dac632bf5396dc87cbd35b651e5138caefd2e0cf50fce354cce1729

SHA512
bcd3279264a6a264ffabdef262d73f3b3c6b947200d7cf0438f06ac267215ba5774ae4a7925c37e9517fa8b0eb2da5dbd0dab43bcb0f957cca03cfb4f8707f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
149be580994af944c9d0e531aa2d9d94

SHA1
c051cbf7b907ee30ef381ed9d880759eb18bde21

SHA256
09b36f71f24a8e4a3d9c715e8e21e23f3198d1eb20599b5dd7f3f61a1e584016

SHA512
26178b9a4a8abafaa4be6db588581a3a10b7f25d37d3f86af9c6835e15521e0084d76235d5825b21867faada5061050aed25c14ebf0a2543acf359d4e7da3c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
10f5b9154a58defd75946bae1db294cb

SHA1
29d5b12bdc60be6fd3d374946bd6fc28c6e04241

SHA256
f849c128ab3e71ea19596f6fc5fcb71be2f88d85933fff49780b3e2f7ff7d564

SHA512
8726e42aa00ce650870c850ae2e2ded02dcfdf63c8a73bcb998d3ce20522492bdd22e2af3d94f11e71c54b33bc6a49dbcac57533119e7ddbcb13dae8801da11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
10f5b9154a58defd75946bae1db294cb

SHA1
29d5b12bdc60be6fd3d374946bd6fc28c6e04241

SHA256
f849c128ab3e71ea19596f6fc5fcb71be2f88d85933fff49780b3e2f7ff7d564

SHA512
8726e42aa00ce650870c850ae2e2ded02dcfdf63c8a73bcb998d3ce20522492bdd22e2af3d94f11e71c54b33bc6a49dbcac57533119e7ddbcb13dae8801da11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a7a961f2e46f992da3a332d50ee811d

SHA1
c4defb379f3c1be3c4401874477149492140989b

SHA256
2be51c1f18bc9bdb3b13465a8e25e41f105a1014ba4f2614b582e4c722e87b1a

SHA512
9ca705c25671a28067e697c6b151a66c82df7acbe36e92db1f85bf1073059439860207d534aeba1e499449381bc1e9f851ecd84e6ce0cafe821c78e46de93893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5f91decd9e8222d506f6a37aa473035

SHA1
a81288a72f26eebcd3b9f04d83acb6d7694d9a2a

SHA256
7aac080fbad0ccf9343ddaf9ff2870ec3ed39ade09261eb5c88805fda674314a

SHA512
420a28acb19545d943acf2a3c7f4b2ad4ddd547d8d2a1e7a5ecfa58d198669eefcfd49f30a51ee809b207fce8128a4c137265454a76d8fa359a265807eb64dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fb4697dd439d31f7afad96212364cef

SHA1
f2c19e5f94e5a569d034f4b4f24b5b4b3d814765

SHA256
17bab35885bf8a0c30634474e137ef0c52df8a32b2a4eca0b90500e9676f4e3b

SHA512
808df3102794abd53d486e5075c187d89136b2864d5e73d0bb1f43cbdca44e1c322912adc9b0714781f3e2c399dc379ddf4753ad580c5fc30214f8e98d8b500b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
bedd675cabe308d319576cbeb6f378cd

SHA1
90c8574031e1afc9e3ff2c9677e0cf42a9c48dc0

SHA256
220b07b3eb5917b0c50e73e7f42356281796aeb214a65e9d8f14436cdaf2dae4

SHA512
9a572e2269b6ac8aaaa1524987541d699bb3f07cb1d882ed66d4086b1d1cfaf73aebfe005528d4133f28f02c5ff2892f67373437d4190a31016eefa414e480c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f911abd60a0a213429436fd9b6834842

SHA1
3935831250a819eb30c457ac6527af88e32ad274

SHA256
d4ee429ad4b5f5ea6d8dd5f701d8db4ebfc2d8bf91970e20a5fff4dc61051ceb

SHA512
0cb6ba2e442a76d71334ca7d2a0e325359411f0e6b426ddb32c3db4aadd944937f00d9c5e463941dd9bee041983424b4f95945c60621b636ffcb46713abc1656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
940661492b75632e3cc1c54c0a1b045e

SHA1
c3363700182a6870a19c17a04a0cd56d548c10bd

SHA256
548377b7da2e9e063d95221cf1835033535cfc1df5ebd9528a9efc4bda244120

SHA512
4a45df436822c61dbf132a0401bcffd5133409332973b858797e64c6b4d34c990115da2f6cf0d34d67b78deba47e858e46b6eb3af0cc1e9e943c66b862ebb5c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a435.TMP

Filesize
370B

MD5
a8a8edefe8e942744bae20b2281f34e0

SHA1
fe5690641f369b28338af5a2353e434110b6ad55

SHA256
5b6c0adbf5adcf263c4c7e836937205fe17f658322305b4d2afb85dad324fd46

SHA512
9d6f3d0261274e066de1df10e80a04da28d9ce08e0377391d1078978b7e73324fe0e680ebeeb9168f50d7b46c9e306e2973ffa6728bab676def5a9054d26f745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
9eacaaceceef245fd9c5239885e28fed

SHA1
26e5b9ecee193523b32966e9dbe36b570187b6c3

SHA256
fa1c3d65f4162cd31015d621fe69ab315382a0964f102928498f2296d1b71a90

SHA512
5c218b8a8621b572e6b2885f658464b5a8c99574b15cefd59241ab4d3e43a8440080c2f090e38d2854101e9de46bd33878fa4334b4a0eeccd145f8e14a55f946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
9eacaaceceef245fd9c5239885e28fed

SHA1
26e5b9ecee193523b32966e9dbe36b570187b6c3

SHA256
fa1c3d65f4162cd31015d621fe69ab315382a0964f102928498f2296d1b71a90

SHA512
5c218b8a8621b572e6b2885f658464b5a8c99574b15cefd59241ab4d3e43a8440080c2f090e38d2854101e9de46bd33878fa4334b4a0eeccd145f8e14a55f946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18ceb9aa09fe561f1bc45d0474b25c74

SHA1
255d0e28d86174cd98b424b540ec6b3f3e506124

SHA256
afac67842aed80f37092b5113b4d2393685f6d7aac64a7b9ab2c1c9f778f9b50

SHA512
5ef0aeb21eff16266bc1c1c5d94328d1880e5bd667d0bce176e20f86b66eb6411afb2eac9545bcf6849da43f99ec61d04788af65c39dcfd20a11900c5f98e27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
32da629a718f89887cf568fb57ddec8a

SHA1
2a8b0123e27308f6be121102b66a3f14ac88f4e4

SHA256
c11379192b951eb7969e6a7e60b69aa9796bb79101528445f937792c260bdf0d

SHA512
5259c83b85a33f7fda6ffbf25c643e9c282d513de32b056c6cf6524431f7da8b552d44ff5c9f60fb68896a46d317ab9a4d0c2346bb133e79849fe0d57dc56520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
42KB

MD5
69859bb95776cf6cdb5c636c518d4eb2

SHA1
d2b416871604e04ce921403ee295c90fad9e3f8a

SHA256
935e9d6c9c0aaa73cb0ead1a23822a90eff9a64347194cc3d57423e01584a3f3

SHA512
08b99bb1d382b4350241bb53bfd3f259490416d0bfb15b48bc4bc2a268f24bab67b64a49aa0e8ace66162723f956f7458dace7e7fe7fcb209d815dd06741190a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0d540bb8043d3df363309124cacc4d10

SHA1
c422552c71b04624d4c76d6b1fc1d114c159c783

SHA256
92f6da569df1bd84ef6ce4f48b770ee52f0bad79c9c43ca85a3efb79b8081ead

SHA512
54611561f5fb6ca0e68e503e1b01d503d35fd69e944be1c5297d4d677756b116efec8bf40d9f3ee5e87b23d6ffef23ca88f039ebb47fd35c51baf760bf022aea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
6775f01b126409311ff7bb66978fbc93

SHA1
61bf05d8b230c9f0f52d49cc2501ebf78d946bce

SHA256
51580987f8d47aa92c4a69c3de0ffb9ec5eef2f483210100c159acadbf6c9fd5

SHA512
5de33ffe530102d7a2ba0bb6e4a5686df2213a726abcbfade10f786404a4259d06c37dec26771b832f3d20b2769b2f5a272d88a2468d5fee12d110a1695f8248

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
df2c906861537c81cc6bc35f2e5f642a

SHA1
a9f6297f0d38913422ec4497e1af9246000ce438

SHA256
8a2d7b59e7a55985b80253203146e1f314da8fbb5cc69f316e0f80c8414769f2

SHA512
259189388a2d1c013933887ccf18b3eccb62ebaa36edb707488a56c93f26fc1d9cb55aa8994e02d788d5426d8c252f1aac5e6f9b33f3d2d75bd51630e31cf88a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d76e0e1d1db8c9643bf43430ece35fd4

SHA1
4768f21caaab757e30fee56a572b7cadcee79f6f

SHA256
600830939c52576cb01a3dcaba650be9f3c3fa8fe42fe800c54a1a9b79843ca6

SHA512
fd9a1e15972cbd431476a056d702786c63077c09cc1633fcc7d8bd8d69775d92512ad9b9bd24ead9e362da73e32a208f7b926f563fe2f8fd15c60df806bba3ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d76e0e1d1db8c9643bf43430ece35fd4

SHA1
4768f21caaab757e30fee56a572b7cadcee79f6f

SHA256
600830939c52576cb01a3dcaba650be9f3c3fa8fe42fe800c54a1a9b79843ca6

SHA512
fd9a1e15972cbd431476a056d702786c63077c09cc1633fcc7d8bd8d69775d92512ad9b9bd24ead9e362da73e32a208f7b926f563fe2f8fd15c60df806bba3ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
27db36e62f00d1249e14a6e0fcb16652

SHA1
c424c3774addfcfabb656f12cd866dec28416128

SHA256
cd19c500e067d45ab75ef7114584aec030627b43226eeb4f739ee7ce0f2b800a

SHA512
c95fac4bf6fccb2b7afad3be597f8c9014249010458ffa8946fd8e7f034296204425086655cba07330c6edd2054e1c70bd7bf1a92581df5a871b2464023ea434

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
27db36e62f00d1249e14a6e0fcb16652

SHA1
c424c3774addfcfabb656f12cd866dec28416128

SHA256
cd19c500e067d45ab75ef7114584aec030627b43226eeb4f739ee7ce0f2b800a

SHA512
c95fac4bf6fccb2b7afad3be597f8c9014249010458ffa8946fd8e7f034296204425086655cba07330c6edd2054e1c70bd7bf1a92581df5a871b2464023ea434

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
435090b11757754896a22d34fa6476c2

SHA1
32dad184ccdd001a9cfa3ed582844667578a1aae

SHA256
42cd1ef97c64c4dc8edc1afe9a4d0f9930b5f5d8757bd30ead662462828f9efe

SHA512
a06b2596db0b4dca8e7012f50186b7a33c8f6c267483091d04940591322a5e9f72ddb311bbac007d32b5260c56037450044ab2bf26ecc1acd168a49613539e21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2b0d668f532bf1e35abe7f77e6b6f003

SHA1
2653adce6d19f163760c375a2cda904fc7f5b8d4

SHA256
7424c84c949698ac72ef70628d7ef1b9e986c99c9cd12aafdbb1a13e808b20c6

SHA512
feb2c3df658937a6255c65b052f20bac1b32a662cdd6f0a4033d1adc799081533747066aa20bece87728b37aaed1a500e81e892e121adcef796e8813658caa59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2b0d668f532bf1e35abe7f77e6b6f003

SHA1
2653adce6d19f163760c375a2cda904fc7f5b8d4

SHA256
7424c84c949698ac72ef70628d7ef1b9e986c99c9cd12aafdbb1a13e808b20c6

SHA512
feb2c3df658937a6255c65b052f20bac1b32a662cdd6f0a4033d1adc799081533747066aa20bece87728b37aaed1a500e81e892e121adcef796e8813658caa59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2b0d668f532bf1e35abe7f77e6b6f003

SHA1
2653adce6d19f163760c375a2cda904fc7f5b8d4

SHA256
7424c84c949698ac72ef70628d7ef1b9e986c99c9cd12aafdbb1a13e808b20c6

SHA512
feb2c3df658937a6255c65b052f20bac1b32a662cdd6f0a4033d1adc799081533747066aa20bece87728b37aaed1a500e81e892e121adcef796e8813658caa59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2b0d668f532bf1e35abe7f77e6b6f003

SHA1
2653adce6d19f163760c375a2cda904fc7f5b8d4

SHA256
7424c84c949698ac72ef70628d7ef1b9e986c99c9cd12aafdbb1a13e808b20c6

SHA512
feb2c3df658937a6255c65b052f20bac1b32a662cdd6f0a4033d1adc799081533747066aa20bece87728b37aaed1a500e81e892e121adcef796e8813658caa59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
68936493ae667f641b13f6890d8f0d71

SHA1
d95026facbd713091bb665660d49aad6b04e6753

SHA256
706ed76258e2a678a458b5b880be8ef185aaff88e2f2d9e4ab8913208d54f77d

SHA512
e5e6fc6a518974e1c86c7113879d4cad01c0c780e14d12b36b0efd17d08300ead3b161d17ee796bca017b5c182bc9ed249fb6f7e306a7d7842ceed972c6d890c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
09e0e12474ee34b7b389610f17129039

SHA1
54e75742d0ed6dc757d93db3a3acc4e3db62fbc2

SHA256
a0647a282b193faa535c6aada6671531c0112c0ecb0d7f5e61c37e2773f07e10

SHA512
a90c0b0bb6c9a668081a6e922c32781c7705fea52a635d0e34b60faaedbae6402c2afc6fc39afd3086da89c98bd089cde9b6da414475e4068b58ae4d69fa81f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
09e0e12474ee34b7b389610f17129039

SHA1
54e75742d0ed6dc757d93db3a3acc4e3db62fbc2

SHA256
a0647a282b193faa535c6aada6671531c0112c0ecb0d7f5e61c37e2773f07e10

SHA512
a90c0b0bb6c9a668081a6e922c32781c7705fea52a635d0e34b60faaedbae6402c2afc6fc39afd3086da89c98bd089cde9b6da414475e4068b58ae4d69fa81f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8ea0aecb27c618eb9ae0d65fcf8e033c

SHA1
a3b5c74668943d441d0e0cd1cb3fd1f474b9a12c

SHA256
ecd85345843ee0269875a06d8648fdab2db7aae28caa0d2236372f7e96f330d9

SHA512
3d181b7849076a9bab02d0f8e05b308dbb242a1ed64d26003599efb37c3bae793add4b593b158a62baa3153820b595caf7b3a99ee74bf5afda80a23b681b477b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
09e0e12474ee34b7b389610f17129039

SHA1
54e75742d0ed6dc757d93db3a3acc4e3db62fbc2

SHA256
a0647a282b193faa535c6aada6671531c0112c0ecb0d7f5e61c37e2773f07e10

SHA512
a90c0b0bb6c9a668081a6e922c32781c7705fea52a635d0e34b60faaedbae6402c2afc6fc39afd3086da89c98bd089cde9b6da414475e4068b58ae4d69fa81f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
09e0e12474ee34b7b389610f17129039

SHA1
54e75742d0ed6dc757d93db3a3acc4e3db62fbc2

SHA256
a0647a282b193faa535c6aada6671531c0112c0ecb0d7f5e61c37e2773f07e10

SHA512
a90c0b0bb6c9a668081a6e922c32781c7705fea52a635d0e34b60faaedbae6402c2afc6fc39afd3086da89c98bd089cde9b6da414475e4068b58ae4d69fa81f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
09e0e12474ee34b7b389610f17129039

SHA1
54e75742d0ed6dc757d93db3a3acc4e3db62fbc2

SHA256
a0647a282b193faa535c6aada6671531c0112c0ecb0d7f5e61c37e2773f07e10

SHA512
a90c0b0bb6c9a668081a6e922c32781c7705fea52a635d0e34b60faaedbae6402c2afc6fc39afd3086da89c98bd089cde9b6da414475e4068b58ae4d69fa81f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52bf1ae255f9761621ab4e106390a4f1

SHA1
de8a4089753c37201280667566303feffb50c653

SHA256
b1234337f4f8d4e6c9d6a792bae2264480e1837e58bace7cf80f17382542e4ea

SHA512
91330e1b836bec5f5554cb14512e7d359c52119578c8975fb6fc27ab37818d0e29aea96c6e23bc838affb4071f7acd1eb38102d283aac33a07b5b70fcdda5dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52bf1ae255f9761621ab4e106390a4f1

SHA1
de8a4089753c37201280667566303feffb50c653

SHA256
b1234337f4f8d4e6c9d6a792bae2264480e1837e58bace7cf80f17382542e4ea

SHA512
91330e1b836bec5f5554cb14512e7d359c52119578c8975fb6fc27ab37818d0e29aea96c6e23bc838affb4071f7acd1eb38102d283aac33a07b5b70fcdda5dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52bf1ae255f9761621ab4e106390a4f1

SHA1
de8a4089753c37201280667566303feffb50c653

SHA256
b1234337f4f8d4e6c9d6a792bae2264480e1837e58bace7cf80f17382542e4ea

SHA512
91330e1b836bec5f5554cb14512e7d359c52119578c8975fb6fc27ab37818d0e29aea96c6e23bc838affb4071f7acd1eb38102d283aac33a07b5b70fcdda5dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52bf1ae255f9761621ab4e106390a4f1

SHA1
de8a4089753c37201280667566303feffb50c653

SHA256
b1234337f4f8d4e6c9d6a792bae2264480e1837e58bace7cf80f17382542e4ea

SHA512
91330e1b836bec5f5554cb14512e7d359c52119578c8975fb6fc27ab37818d0e29aea96c6e23bc838affb4071f7acd1eb38102d283aac33a07b5b70fcdda5dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52bf1ae255f9761621ab4e106390a4f1

SHA1
de8a4089753c37201280667566303feffb50c653

SHA256
b1234337f4f8d4e6c9d6a792bae2264480e1837e58bace7cf80f17382542e4ea

SHA512
91330e1b836bec5f5554cb14512e7d359c52119578c8975fb6fc27ab37818d0e29aea96c6e23bc838affb4071f7acd1eb38102d283aac33a07b5b70fcdda5dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52bf1ae255f9761621ab4e106390a4f1

SHA1
de8a4089753c37201280667566303feffb50c653

SHA256
b1234337f4f8d4e6c9d6a792bae2264480e1837e58bace7cf80f17382542e4ea

SHA512
91330e1b836bec5f5554cb14512e7d359c52119578c8975fb6fc27ab37818d0e29aea96c6e23bc838affb4071f7acd1eb38102d283aac33a07b5b70fcdda5dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0713850eaf33bc2be7c386c3473900a3

SHA1
3fca66ff48e12c07a05c7bc3b60d99d2ab399612

SHA256
63e6587859ca3bd3461115b0b88971e3028b917582c697067368c588c60d9155

SHA512
8930f0fdde4db7ca0e4bb32f706826a1c01478729978a263470c5fbd4dad0e2e21aa777ec9c5e1a00b2b3f613cf72fc2ee252ddc43e9181138ca9890fc5eaf5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
731143bc93d5a959e9b43f651e832799

SHA1
60aa45ce4b9dfe609d2f85d76c63fb7557937baa

SHA256
32e7f34344b50201864872f10776c8033a6df5e5f4c9236b4e5dffa64b90d6f2

SHA512
4428188d395d3ca00c3f2b7b77d3e99ddcebbe4aa29a1d363bb65e3d23851167160ed35e21523c1afc814241c55d591d1f1f1eda27112c00ef39201930e989b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
91c06e221ccfe8b946e1bd3f66485cf6

SHA1
705338180efdf876eed63233c2d9aa18bf144286

SHA256
86f9ba97abce80673bb7c097b252047e9470f88f1bf89767e58f0834ed634264

SHA512
e871be7131f0ccca500447db7898da86b067f3a3b7b48cc7fce631a9cfd97fc8227450e084e7f6440f55b61a97247d84188a8e2727b978bfa7a25119e430fb40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
91c06e221ccfe8b946e1bd3f66485cf6

SHA1
705338180efdf876eed63233c2d9aa18bf144286

SHA256
86f9ba97abce80673bb7c097b252047e9470f88f1bf89767e58f0834ed634264

SHA512
e871be7131f0ccca500447db7898da86b067f3a3b7b48cc7fce631a9cfd97fc8227450e084e7f6440f55b61a97247d84188a8e2727b978bfa7a25119e430fb40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
91c06e221ccfe8b946e1bd3f66485cf6

SHA1
705338180efdf876eed63233c2d9aa18bf144286

SHA256
86f9ba97abce80673bb7c097b252047e9470f88f1bf89767e58f0834ed634264

SHA512
e871be7131f0ccca500447db7898da86b067f3a3b7b48cc7fce631a9cfd97fc8227450e084e7f6440f55b61a97247d84188a8e2727b978bfa7a25119e430fb40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
91c06e221ccfe8b946e1bd3f66485cf6

SHA1
705338180efdf876eed63233c2d9aa18bf144286

SHA256
86f9ba97abce80673bb7c097b252047e9470f88f1bf89767e58f0834ed634264

SHA512
e871be7131f0ccca500447db7898da86b067f3a3b7b48cc7fce631a9cfd97fc8227450e084e7f6440f55b61a97247d84188a8e2727b978bfa7a25119e430fb40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
91c06e221ccfe8b946e1bd3f66485cf6

SHA1
705338180efdf876eed63233c2d9aa18bf144286

SHA256
86f9ba97abce80673bb7c097b252047e9470f88f1bf89767e58f0834ed634264

SHA512
e871be7131f0ccca500447db7898da86b067f3a3b7b48cc7fce631a9cfd97fc8227450e084e7f6440f55b61a97247d84188a8e2727b978bfa7a25119e430fb40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\prefs-1.js

Filesize
6KB

MD5
2ef4269ae8ae3c2cde7a242a24a49fcf

SHA1
c10acec8fce79a7c0456131f06dd610c038930fc

SHA256
28d2ca3edfab3708a30b82191ca9135881bd2ceb14286b56abb11472226abfb2

SHA512
6de11fc3135beed7f59e6625e61abc1d2481cbb615e7eb77f165168b2dab48964468a6baba4d076cfc0451c743eadfd4411da433c7956f1e3cdf01e3c2db412a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\prefs.js

Filesize
6KB

MD5
d00a58fe02fafec8b912e152e94e7a83

SHA1
687f358445f194a3844bf739e9c7b2de54cc29fe

SHA256
179d3141dee5307599706c6f1d30962356c95a4b30d0239d9af0f193ac548ab0

SHA512
af2667790d8da2adcfe8cb2ea29ae7a8b7130f0830f91f585dfdb5816c1f254dfe29561865834734bb52bc2d3fd645381803eba348b23abac761712ee14a4045

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t9nv4f6k.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3070db3c15394910eb169866cebad7f0

SHA1
4143d8898ad022af026f8f1b4317282268fcdcec

SHA256
5068750b24563f9be523c734c2a38b72c189c1fe018b8867b03bbedbb2c83752

SHA512
56ffe0d0d8f9dbd15dbfe043754e76e65e85524221be1ef8b81ef0b5a8b934e523aead4af3d51443a5058dc16fc902a29eea82d467e5eb028ebead241e44a589

Download Submit
memory/2492-1-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/2492-119-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/2492-3-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2492-70-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2492-24-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/2492-18-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/2492-210-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/2492-0-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/2492-17-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/3800-253-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/3800-209-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/3800-22-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/3800-43-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/4544-219-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4544-234-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/4544-248-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/4544-250-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-251-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-211-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-245-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/4544-254-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/4544-256-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-246-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/4544-244-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/4544-243-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/4544-242-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/4544-241-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/4544-322-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-240-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/4544-239-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/4544-235-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/4544-237-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/4544-238-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/4544-236-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/4544-247-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/4544-233-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/4544-212-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-232-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4544-231-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/4544-229-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/4544-228-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/4544-224-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/4544-227-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4544-226-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/4544-470-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4544-225-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4980-19-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4980-557-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4980-21-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4980-429-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4980-214-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4980-65-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/4980-252-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download
memory/4980-208-0x00000000003C0000-0x0000000001B5A000-memory.dmp

Filesize
23.6MB

Download