zgrat | 90e37120f871643e244d05b25538e1e2e1d25b8d778e2c70b16faf1e5af552d8

Analysis

max time kernel
191s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maple 1.92/Maple192.exe
Size

660KB
MD5

a8ea2de85a8ee0f777bbfeb289465660
SHA1

033df554c3c5f7436560298a44082d7b51fe47bf
SHA256

512ebf3e392379dc7f08c8b20a4205096fbf0542e8d213c9f95354406d8d40d9
SHA512

207f9fd94dfb2cf549f3102ce45dbdc2fbe136eb7be7532cc8fc0136e93f11d1c8cc010b6e880283c6f145d692df46c0308123e98fa1052ad990807a050fe6de
SSDEEP

12288:NF+U6pymQZUtro2OxxjmCUkNfy0/iDl4v3KyoGPosSY0zCXFuZe8:NFOp9tEpCA90zlZh

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3492-0-0x0000000000A30000-0x0000000000A8A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	firefox.exe
Token: SeDebugPrivilege	4136	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
2172	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe
4136	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2172	3492	Maple192.exe	97
PID 3492 wrote to memory of 2172	3492	Maple192.exe	97
PID 2172 wrote to memory of 5084	2172	msedge.exe	98
PID 2172 wrote to memory of 5084	2172	msedge.exe	98
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 3148	2172	msedge.exe	101
PID 2172 wrote to memory of 4340	2172	msedge.exe	100
PID 2172 wrote to memory of 4340	2172	msedge.exe	100
PID 3492 wrote to memory of 2444	3492	Maple192.exe	102
PID 3492 wrote to memory of 2444	3492	Maple192.exe	102
PID 2444 wrote to memory of 2300	2444	msedge.exe	103
PID 2444 wrote to memory of 2300	2444	msedge.exe	103
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104
PID 2172 wrote to memory of 3448	2172	msedge.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Maple 1.92\Maple192.exe
"C:\Users\Admin\AppData\Local\Temp\Maple 1.92\Maple192.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Maple192.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa73da46f8,0x7ffa73da4708,0x7ffa73da4718
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8
    3⤵
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8522903878637612776,12246471448365535567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Maple192.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa73da46f8,0x7ffa73da4708,0x7ffa73da4718
    3⤵
    PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.0.335526930\532986133" -parentBuildID 20221007134813 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {946223cd-f8c9-4674-a1a5-e1486290aebd} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 1984 1e83cdd8158 gpu
    3⤵
    PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.1.63818326\579103440" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60885fb-600e-4712-a49e-7aceaf84bbd2} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 2360 1e83c932f58 socket
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.2.1221698316\2026091314" -childID 1 -isForBrowser -prefsHandle 3344 -prefMapHandle 3340 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b657bc83-1b21-47cd-8fdc-74a91680d84a} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 3172 1e83cd59458 tab
    3⤵
    PID:5340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.3.1742268019\1880955258" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3508 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d9687dc-82f4-4213-a8ac-50c7897c9316} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 2528 1e830474058 tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.4.600315184\2066083614" -childID 3 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb50fd0-89f6-4ade-996c-1c9d97b18a67} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 3732 1e83f6d2158 tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.6.544184916\1036944278" -childID 5 -isForBrowser -prefsHandle 5112 -prefMapHandle 4216 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d013a3f-111b-4f92-82c6-19f85b6540dd} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 5084 1e842f95958 tab
    3⤵
    PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.7.42197305\128970616" -childID 6 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60889eaa-c6b3-44e3-8f5a-8555e19d95d5} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 5228 1e842f95c58 tab
    3⤵
    PID:512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.5.1149637354\1382857351" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4908 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99202a11-d1ca-4521-9491-db2b875b7356} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 4896 1e8410b4a58 tab
    3⤵
    PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.8.393581762\968311996" -childID 7 -isForBrowser -prefsHandle 3308 -prefMapHandle 2728 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa15840c-1eaf-44ff-b397-0ebc46a7f946} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 2800 1e8427d6c58 tab
    3⤵
    PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.9.1303064409\398529252" -childID 8 -isForBrowser -prefsHandle 5088 -prefMapHandle 5100 -prefsLen 26939 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b4f4258-62ee-437f-9751-72626c20f241} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 4960 1e83f72c858 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.10.1166723520\1463299407" -childID 9 -isForBrowser -prefsHandle 6040 -prefMapHandle 6044 -prefsLen 27204 -prefMapSize 233444 -jsInitHandle 1204 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {845d86b0-913f-4972-9549-669aaa349e86} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 3896 1e841769858 tab
    3⤵
    PID:1040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4136.11.1574083097\227692181" -parentBuildID 20221007134813 -prefsHandle 3180 -prefMapHandle 5644 -prefsLen 27244 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cbdae7a-8b41-49fe-9384-d87d302bc56a} 4136 "\\.\pipe\gecko-crash-server-pipe.4136" 4308 1e841570e58 rdd
    3⤵
    PID:2364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
8df08e94399c0b594194ffe35794f2a4

SHA1
dfdce66cdf538d41b4ab0a9a084d9dd8999ecb95

SHA256
d3775517b14f148f05f089e3aaaad47613525c1de386a437f2c73f59c593de83

SHA512
47a2b9e1fbf8c1586ce280e6fedf6ab89121252403a17f7179d463bedea050d8345312d60bf740629cca6f6e3bbafacbd2e9674cf934529c6f1bc3a46ee4a165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
a1c029791ed16a62cc7c5d516eb96a83

SHA1
c1fadbc0eacc6635b5d2e9ab7e5b9d5c43c3d86a

SHA256
40a62862f5696dce640e237ca03f598c184d8fff584859dfe7de95c0b8b83602

SHA512
c07f731b36a6822458831fef29f3e3548020a06e54e2d3b46b69547933d7a5eb8e3e34a19911c82a986b374ae312a580d6a055bdc3381241afce6ccd5850fa0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
346B

MD5
172a03f1e073cbc347cb5102d038fa13

SHA1
83a95a02491a4b046ea79fd04ccf6c5c24b29d60

SHA256
b8193a8bbd8d5c6b71977d040537ea555fc414cb3f7c2d4166e9bd3ac1ef4e89

SHA512
2a47a09a51fbf77f8b2bcc2d3e46db628d45ebabb9bb4033965b3409810e9a6c55c1008a62bfab5d3ca2a64d8b67f5c726f3682da0132738065c14ff77c1f5bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
923a0928983718f6919af8589a6378f6

SHA1
69127ecdfec1532f7d7c07f163ff49acc72509ff

SHA256
93090e591a6bbebcfde1718abf09c1c9b68fd512356b3fd0e49c03c98b3e690b

SHA512
e3d45ec7145bac210a94212812738a9078e89f6469c4b80218d2b3440356e2894e45223d3244a661a38dac41beb6384bf8e549a1b4470708e2d0a953ddc0e3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6aaa6fd64d207388a6834797ffc35138

SHA1
b0f198e8f4d5f9f6faaf9a96f42655d425c17f25

SHA256
3b3ad0d3ca478a0e3361fe21dc52f468537a343bdfb8ec76597060982b14ab09

SHA512
97af197d4796bb5adf184f3b7bab9e854eee96ca1488ab6ed20f7dd5a2eb769cce4957dd75af6cefa49904947abe13b80842ccbe6f91a1b24940df28bfafe08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d392d61df5c9cc8564f709a625e9d26

SHA1
692455820a3eed40c6c057aa52eb2d3cdd4bc6a5

SHA256
d544422ff50d4276fb798669bddd6dc6c0b7b03cfeb5696da0f76fa73fff97e1

SHA512
77e85beb058461b130b7ffa7a1d12c60f67488d2955c33e81b6b439130e87747d6e57d8fa93ad4e1836f1d5424d128001713bd2f61a7a4368a5444422c6da368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b7779acf2ee041f44ca00d9e05a3e89

SHA1
19eedc755f0aa8c0798171c93f36bb29e70e84dc

SHA256
ad306f28d8358d9c74320685b40caa0b65aca6203bbd6d834aba0b9c916f5b2c

SHA512
c4dd95ff4c8bd700dd1bed1380092b819af2cf80b022521bcadafcf9c6fda1dee1e1d7f59446494b1244b10a6990b6665bac06066b61ed99bdf0efe0c1e31f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28e259c38bbeb81a2e552847d07a3703

SHA1
cff0967a4881df3c7dc7dd7ebb09b34b655c1742

SHA256
683fb353b70c14400c2ebcb8e4a3ad5bc02d1b62f2690e86f3fd2d074e60109a

SHA512
0e43cf6ded6842b6fb9555527f38a9418c67ac22e450860e408a08c456aa2e8246cda4a7487d9c95cdbbaa61bf855052eee63598be10cf04fe6b6c4849dd5e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ac697e3122e2846a42908270656533f8

SHA1
b2486d6b6919728d96b6ffdaa8cc5e6a978e155d

SHA256
e114042bb473aa542ead78c8edae8af8f027ef06709d0adb5319678cde6e4de8

SHA512
3456a7843b39412654b993bca25472f39c72bf3df5f1ea842d1ad5eda19aed09a089c6c5276d6bd99098ad5f9d9deca4a28f3ae3070333204352c58f00b1cfa7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x3x6afp6.default-release\cache2\entries\7FEF50EB1C89E58D7202896295BED2C7C56D1C99

Filesize
443KB

MD5
165e29dfa16491bfbfd0be1f4cffb8ef

SHA1
6388527a2b526bf3a65f7872cbab4fb50c93ea7a

SHA256
417989f46cdc44819962efa97b99ac704d3f80b6967701226bc64fe9478e7725

SHA512
e6491ba98866d67e41fe06c8c1a5070e5299c24537aaef90669777b13669366b9c56501a02416b1f2c8b3a7ee217b7b71c6412c814a1b3f483cbe7f4d2d890a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8d3df1b506c017d77d43f4a64bedc1fc

SHA1
08638f3f957fc6e313dc9032997714d44ae0868a

SHA256
183605f73489037dcd1e236513359d1633e45ab36df864aa9c9ee87d7ffd9837

SHA512
8f4fe2a2953e060433d02511a45f27214a310d680dbd7de1c9511ba4c708c9a73c36f22bfb92fac079f02169680ead5630e6862fedc5f4720a1516cc5d090548

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\77e151ef-57d8-40a2-9ad4-710734c513de

Filesize
11KB

MD5
6a1c3a0435ef563512240967a6da30ad

SHA1
42397f4b57d7faed6b0cf10e15f8287df0276e9f

SHA256
904d1cedf96499b87c8b99cd69997370d8774821bf3d7a6cf7e5dc728a6a64e6

SHA512
f6a76640e06bf115b14f7e41558e4590dd83f67dffaed4aa2619267c41b53ed241b2ce05f38dc268dde588e78821358cf98c7e3beca68bb145d3578ad0164f89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\becd5acf-5343-46be-95db-a24ef997b358

Filesize
746B

MD5
f2ae64c6ea8b86e640af7643f026b7a3

SHA1
974811c7a54096f7267ec72265ac823024b24a42

SHA256
c65be62f52d26c797b72e12e6e933d71e541ad815791f41cb5a77aa993087ff5

SHA512
da4cd89c32e9c461ca8be1a41af75959f78feba15ed737ec7a05d5f839b165b79ca7cfb98ceb6e5c5459ed0235f574329cd09165ba70cb8d7d10825d079149fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
2.8MB

MD5
371eb55db524528c411bedfc8b09d751

SHA1
1d9433f83eca918cbf0587ac2d8cab16c0d9f92b

SHA256
2604259f71efcd2e8e2355b80002ebeeef55a4b9925d6ae69d47b243e43130a0

SHA512
039cde101cf799d9b3536edbcd7d84dd19db1ae2d0008a4f9e21c4c19c9dfec04305bc2d66f5a898a32f39e1fa778d4beb92c6788bc3953abf74bab7f237bcf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
6KB

MD5
d45d09f3b7d75c47f61f5737aa38b60b

SHA1
e565c4a4c6b827fce62c7aa03258ea3048fe9eb4

SHA256
0323f7bb337f6178e3d3f57151d234afa770095e1f9c917a3fb9f28d67011e80

SHA512
bcd67214f0e06adbc07879aa3baa6beb2bd996c749587b93add6900e77fbcc929cffeaef2ea64a25e8a7618ebcce044f46ad84f7993a799828c529b4fb15e99a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
6KB

MD5
e9186bcc94c5f7b9149faa79caed77f8

SHA1
584d4bb83e1e0f9868a554177ca6b315959b91f8

SHA256
e722607e19d2c9d27447c3ab7e0faf2017f74cc87b93923380fa7f67f836b8c9

SHA512
75131626a6059b79ef0ff9fc8ae3ed1db0052fc00ad4ac5153acd9f86ac33fe5fa5f49301733f492573bc7645042fd9a2188bb691ef0e3512420d586b1fcd8bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
7KB

MD5
c8270cc9f0c9098079ac6a600eea45ba

SHA1
ad493d336f55cc8e2e6dc41030ca733881ca4f27

SHA256
9db383f585d0915a0feb815a54c24c0c7bd520b6c88b04fde96cbcddeaed2a02

SHA512
52490ebd2fe86422fc0baca7c135c69af4d37c897e1978bfd04cc4971b5f12d2bd95f6db8b2ecbed19c3d7d3a5efe6b28d88c1bfcbbecd26f63e55a54b848955

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
6KB

MD5
85872bc64d9931ba5c3918786589d141

SHA1
82e25cf07548a38aad307c426fe08ed63e33c916

SHA256
79164991a65713d3596fcacef9e60e1dd50bf834e7e8a28681a7931ef65313ae

SHA512
9e47c6850bb307b354568e0e161588262f8671841d4d862d956b692613e41fcf01f0ae6e5856b5419c123e163bb0ac8549ecf4295b90430ab5148d710c2de811

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
dfe5f20b5713a45875a73f79ae54ea86

SHA1
78ebc7e1fcbc2a0835ad9c04f1e2f1cd86990d04

SHA256
7df8dd32d3052baeb9848950327922c1f8f4a91c227593b956c8ab545a3d0567

SHA512
82703497c4c0f1fe776e988bc1f12c60c0ed265103b3eedf16ad985a26c1266c1d945342cf462293614f92b56f45c311ea62117811fd2b1a8948dc84c83b519d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ab9f6cc191ca43ff2103b36de798a074

SHA1
eafe786822810469b8bbe7edb944cae050d24917

SHA256
5384208ebbf1bc4e86740b89a4f2b4df648af6c66553ffcde1795dc003f467a1

SHA512
bfdbb73aa0d688d6a26e11dba45e05c4f18f008ff5080c815b6add00d113aa39faf4b760e1932e66a5d4f1bed09ed2cc0354b0a00e313ec58254ceb279add6f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
34f74a37bc44745cbdb18c1509a21770

SHA1
2b90512289e0d3a6d91c783890a7e814f69f9e71

SHA256
a6bcbd7c80198c340cec5cf526f341ec659fc572e28a53e350718898548b7342

SHA512
4714cf26652b70227fec4604156be059e579171194abaa870b61f4c084417d9e161b143db55198336fc23bdef024886da90491df540672fa5501d0c0860253e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d48da8fea43d318118f67c4b0a6d3a7e

SHA1
9e5a8616f1d01e2ae2996b6e341fe171d97a526c

SHA256
7b32100fc510f006278dc570f04b814f3620b7a639a2eb118852535cec7948e6

SHA512
a585591dae404c944f17a7e21b8be158d5cd4dc13d4ea373a2da45a8921d0fe33059bbf80a6a87c1d2bfd74cbb032331383ef0a818badb1da04f09873d7821f6

Download Submit
C:\Users\Admin\Downloads\osu!install.yYE4oFTY.exe.part

Filesize
303KB

MD5
458ca24d5b372122e223c748abf2fb5c

SHA1
317bf8059f1bd77a7c5982bdabffcca9c2a033fb

SHA256
eb65f94c0d8d635dc58b8d2fd174c07a4c839bf18560fc5dc71131de5ee413d3

SHA512
6c8b2e689cdd24a68bc49229740b6104a367631473580aac0ce5608bfe6f4548b08587600a2a26e24f8890c68aea24c2e2af9747b7a244313b40bf8e0b06c667

Download Submit
memory/3492-0-0x0000000000A30000-0x0000000000A8A000-memory.dmp

Filesize
360KB

Download