hxxps://drive[.]google[.]com/file/d/16XVbRQ4hcXJCiEVh-8Cgzc4T45FoZ0b5/view

Analysis

max time kernel
183s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/16XVbRQ4hcXJCiEVh-8Cgzc4T45FoZ0b5/view

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4016	BandagedBD_Windows.exe
2952	BandagedBD.exe
1692	BandagedBD.exe
1196	DiscordSetup.exe
5980	DiscordSetup.exe
2600	Update.exe
4112	Update.exe
5356	DiscordSetup.exe
3528	DiscordSetup.exe
5320	Update.exe
3312	Update.exe
3592	DiscordSetup.exe
6104	Update.exe
3784	BandagedBD.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com
9	drive.google.com
16	drive.google.com
220	discord.com
223	discord.com
2	drive.google.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\BandagedBD_Windows.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BandagedBD_Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BandagedBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BandagedBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BandagedBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BandagedBD.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BandagedBD.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 42385.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\BandagedBD_Windows.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 894368.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4016	BandagedBD_Windows.exe
4016	BandagedBD_Windows.exe
4016	BandagedBD_Windows.exe
4016	BandagedBD_Windows.exe
692	msedge.exe
692	msedge.exe
2788	msedge.exe
2788	msedge.exe
6032	identity_helper.exe
6032	identity_helper.exe
456	msedge.exe
456	msedge.exe
2952	BandagedBD.exe
2952	BandagedBD.exe
2952	BandagedBD.exe
2952	BandagedBD.exe
1692	BandagedBD.exe
1692	BandagedBD.exe
1692	BandagedBD.exe
1692	BandagedBD.exe
5420	msedge.exe
5420	msedge.exe
3784	BandagedBD.exe
3784	BandagedBD.exe
3784	BandagedBD.exe
3784	BandagedBD.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3784	BandagedBD.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	4016	BandagedBD_Windows.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2952	BandagedBD.exe
Token: SeDebugPrivilege	1692	BandagedBD.exe
Token: 33	1460	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1460	AUDIODG.EXE
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	5508	firefox.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2788	msedge.exe
Token: SeDebugPrivilege	2600	Update.exe
Token: SeDebugPrivilege	2600	Update.exe
Token: SeDebugPrivilege	2600	Update.exe
Token: SeDebugPrivilege	5320	Update.exe
Token: SeDebugPrivilege	5320	Update.exe
Token: SeDebugPrivilege	5320	Update.exe
Token: SeDebugPrivilege	4112	Update.exe
Token: SeDebugPrivilege	4112	Update.exe
Token: SeDebugPrivilege	4112	Update.exe
Token: SeDebugPrivilege	3312	Update.exe
Token: SeDebugPrivilege	3312	Update.exe
Token: SeDebugPrivilege	3312	Update.exe
Token: SeDebugPrivilege	6104	Update.exe
Token: SeDebugPrivilege	6104	Update.exe
Token: SeDebugPrivilege	6104	Update.exe
Token: SeDebugPrivilege	3784	BandagedBD.exe
Token: SeDebugPrivilege	3784	BandagedBD.exe
Token: SeDebugPrivilege	3784	BandagedBD.exe
Token: SeDebugPrivilege	3784	BandagedBD.exe
Token: SeDebugPrivilege	3784	BandagedBD.exe
Token: SeDebugPrivilege	3784	BandagedBD.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe
5508	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5616 wrote to memory of 5508	5616	firefox.exe	83
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4972	5508	firefox.exe	84
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85
PID 5508 wrote to memory of 4496	5508	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/16XVbRQ4hcXJCiEVh-8Cgzc4T45FoZ0b5/view"
1⤵
- Suspicious use of WriteProcessMemory
PID:5616
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/16XVbRQ4hcXJCiEVh-8Cgzc4T45FoZ0b5/view
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b3820f-a2e5-4f7c-9d44-0a4d550dd51d} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" gpu
    3⤵
    PID:4972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {376ab203-c4d7-4f96-a0d9-67f70d8ae87a} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" socket
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3076 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a56fdd6b-3c3d-4a8b-a89e-6f8340e9f278} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3900 -childID 2 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3002ab45-d339-46b2-89b6-cd40ce3dc0dd} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" tab
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4608 -prefMapHandle 4644 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b4da71-03df-4de2-b53e-2eb8b4f9a004} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" utility
    3⤵
    - Checks processor information in registry
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0728a08-b1c0-49d2-99e6-d57d992185fd} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" tab
    3⤵
    PID:748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f285fce-a4ca-40c3-9c05-1c6be8dbe733} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" tab
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d71c1b1f-8cf9-4089-bd86-f33c1b3a1feb} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" tab
    3⤵
    PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5968 -childID 6 -isForBrowser -prefsHandle 5988 -prefMapHandle 5984 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1000 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f96eab-57c9-4c16-9044-76dd9bbb3d15} 5508 "\\.\pipe\gecko-crash-server-pipe.5508" tab
    3⤵
    PID:3972
- - C:\Users\Admin\Downloads\BandagedBD_Windows.exe
    "C:\Users\Admin\Downloads\BandagedBD_Windows.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/rauenzi/BBDInstaller/releases/download/v1.0.5/BandagedBD.exe
      4⤵
      Enumerates system info in registry
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffa8fb346f8,0x7ffa8fb34708,0x7ffa8fb34718
        5⤵
        
        PID:556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
        5⤵
        
        PID:560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
        5⤵
        
        PID:5232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        5⤵
        
        PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        
        PID:5408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
        5⤵
        
        PID:1204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
        5⤵
        
        PID:456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
        5⤵
        
        PID:2968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
        5⤵
        
        PID:5628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5664 /prefetch:8
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
        5⤵
        
        PID:1492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 /prefetch:8
        5⤵
        
        PID:2360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:456
    - - C:\Users\Admin\Downloads\BandagedBD.exe
        
        "C:\Users\Admin\Downloads\BandagedBD.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Users\Admin\Downloads\BandagedBD.exe
        
        "C:\Users\Admin\Downloads\BandagedBD.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
        5⤵
        
        PID:2232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
        5⤵
        
        PID:808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4972 /prefetch:8
        5⤵
        
        PID:640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
        5⤵
        
        PID:5812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3748 /prefetch:8
        5⤵
        
        PID:2056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5420
    - - C:\Users\Admin\Downloads\DiscordSetup.exe
        
        "C:\Users\Admin\Downloads\DiscordSetup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1196
      - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Users\Admin\Downloads\DiscordSetup.exe
        
        "C:\Users\Admin\Downloads\DiscordSetup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5980
      - C:\ProgramData\Admin\SquirrelTemp\Update.exe
        
        "C:\ProgramData\Admin\SquirrelTemp\Update.exe" --install .
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
    - - C:\Users\Admin\Downloads\DiscordSetup.exe
        
        "C:\Users\Admin\Downloads\DiscordSetup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5356
      - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
    - - C:\Users\Admin\Downloads\DiscordSetup.exe
        
        "C:\Users\Admin\Downloads\DiscordSetup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
      - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5320
    - - C:\Users\Admin\Downloads\DiscordSetup.exe
        
        "C:\Users\Admin\Downloads\DiscordSetup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
      - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6104
    - - C:\Users\Admin\Downloads\BandagedBD.exe
        
        "C:\Users\Admin\Downloads\BandagedBD.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16059705973800389266,16890157034782447173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x474 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
2KB

MD5
e3152798ee190e4fc7411c64955c7eed

SHA1
5e6ceb9361df35a5a0fac32b604d3fdd9f65c650

SHA256
bd13a78aa4b2084742da4adf1f239308081ec9f6e47c8ffb070c4a2c0d39a569

SHA512
bdee879b69e620c7927caee863cb7f93fdfad14236b667aef59e1f1c01550fe6d09940ef36961014e8426b8accd91b8ab0c1ff72e492cc745525a652a8833758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
73b3a27a149072b2442d865dc6593a49

SHA1
6503ef1bd97dc59fbfbc62690a5ba65d5c3e4ef7

SHA256
109f9ff9dd4ca88a8616db74906530942fdb32f61e56909946c7d12cf80c3780

SHA512
dbb523ec5b6e3100eb766738c5a2f3ff5198d3f8db306234e4e72ddca3635dd2500e72ccfbd8d1a445c667c3a8214ba3570404c856359b3b4644bba581346e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e637afc8e2a44e75933b419266b2b0d8

SHA1
e35c38d2b6f16be37552778a816d1106ee7114ae

SHA256
72ea100f82e7e0e8485249f0b0a2f5d2d894d7780babec05800d1f45d8493f3b

SHA512
bc3a63b00ec3910d5367ba1cc8436f972e852912c219505730758fab7c2d250ed869746c01037339bc57e03e200a8bd8472c4c9f86c8f60e89c3ff06d0cc0929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
855da533c5f42246e8d695371d824556

SHA1
e4f2f03369dd7f6516976733eec2410dc8525ccc

SHA256
27565aa5ca052ddc79c4b3e79bf25154985d04d159fe1b2841a7a9f236211b79

SHA512
34935fb5a648dfdc53646ef527c685180013a28a0da4e64a0637db68ca406c458b154663be7c9f48c62a193391c9e2cdb1c3a860b2c0062f928120423100840d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
58ea65f66438869b8ac7597fa32e6cce

SHA1
a953091282b240135900ce412cca2457e8f09307

SHA256
dde5c03e57aaeff279411c6f9c42ca430b96d26822d7a8ae973ece41bc9f03e1

SHA512
61529350826266fe9cf8b55667a5be29a104878d9a5a66b6586055bef6f129433993d0b1db4f0ac4021c840ecd2aa718908a7b6fcf45b66871f152ee879ee3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
caa1b5c0935528cff05d1c53e675043e

SHA1
8658e18d4bb96ef7013a8f2a2e47db47ea642105

SHA256
36cac139a4fc790d1def16fb82943aaf34ea4c370672a7b8165a5b2561b31da5

SHA512
371787d4e40f7f14ddd585104185de0bbce60b6325c8f0bcf659cced841ab407a7cb28e16a7c5a3a050e5d51fbcc43dca8332009d82fd38d7d13c330756a7ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ffe5c39c568916086363ccab2bee61be

SHA1
7cf82ff9e755a41f166a0169883bb2ccb2b67107

SHA256
ed740153180fc2812196cdda0c9b9e0f7dbe1bd0a10320f79c7ee9b9bee83c78

SHA512
a91f5fef9d96a076dfdf711ddb1afc803d3e30509c0d6917e66d12745a8015a62ed10b655db045dbbaea04b5138e35afbbc8af31dd6f0fbf6c34061788b07b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597b9f.TMP

Filesize
203B

MD5
a1caa4ae01cf55b180edeccd0643f966

SHA1
c260652ccb77f216fbd1a5f1f4d98d74b403bfa4

SHA256
24d46d77f86f87b3ce37b06c53e96234cf795e5e0d11995ef6a1676aa49a81e3

SHA512
b88b24663e03e36a5c1c8f031a24405bfade62ea33a249e25155b0d9df0c820c286b36f3bd67d8cc8bf339df66cda66e1239ac76ec6d9c7f18a28861fb33d8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3c5bea4dcf5d2e5ed5bc676c7d63623

SHA1
0f96d77790b7e98d2d960e33462f14f1996f7c03

SHA256
c7ca8ed92f4fa5cadcd4d19446ab66a122c2c0aa5e0f73a80f27cc534677d2c8

SHA512
589cc1f3a5dae51bb74fba376edd03a4f7dbc311e0676deca380b016a3ab128bc192278eae2b79881bd89392901b21471ecff93341005115b8ea29a9321f5543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e6fb7ec1737f58ef40a51b6968c07299

SHA1
c5f82889949dfa9355b44eed1bddb01385b08f08

SHA256
925498e2a40fcf629da1e5cd674be50e61ae8ddd70bf7954a9528bdbf21ac1f2

SHA512
14c18b6ba665bbfdfe65e9844c84cdc4b55f83d0e1cd166bf522d596457f55f45d516e6162548e73fd6e027f853430f4a4664ee929008f47a1a628090da9f843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ae0facd50b0b874dde206a3beed84e1

SHA1
8a5d56d98327e5565f080dfb34023df884873367

SHA256
96b11d91c7709e70cf078f46dc997cd6aa9eaceae9fb54cbfe8b0170a97e4f87

SHA512
19381100210b1ebd3604ad682c74f3c32d1fcbc92edbf0bbf5cccd14dd2082575c72d2ba65910fd4ade6b03f0f128c007c9c4975bcd4797e6825dcef43086e7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
684ebb37693dc9aff4b334916fc3d38b

SHA1
f67491e0d8c9e2e434a7c5aa9f8be2f426e6c3c9

SHA256
5677b897032385b35680e1fc4459371b62b1a96f27b7f6c0cf79f5d110715ea4

SHA512
6cb45028edfdaf8986827b458dbc128d7e4e3011e1b4c60b93bd994cbeb90b96b1a4038137f769daf3034d096954f67f407e89762f63a42c10cff9fa74502ef6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
e17a754de479a4f216dc1899010bdeda

SHA1
d96e478159e9a89f4f2c389330e25c1e374dade3

SHA256
873be220b59ad92509c1be08703b322fd4cd582924b66ca39070261506ed6ff7

SHA512
b822e04a458da56393ab88ac695abd645a0ec322af016d3983698f54a8c8568d01904ba273d0f29aae34d6bbd7dd4b6906ced6135f3fc42a02cc231d1ed83b42

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
2ce083fd1be807bbed41bdb780bdfd75

SHA1
e66abadcea98806722782c900b5f714459552c8c

SHA256
271cd0da20273badc647ddee002931ca6c9f8692730b831ba8b5ac1435722481

SHA512
413a8905cdf257c90f15b592c070b20b4fe35d6a373381cd328a8f33e3604dd5d9a0a173c3376325ccb203c21da17c29cb4221a0345fe8eace10c6d9ef668ae1

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
6KB

MD5
c0e502be1b4949229a3e73c1c7e34890

SHA1
094f89d09193a50cd081c22105ed51b73bc32be1

SHA256
096cd82436e1963ee0b9f132410e2616552cb9f839a083ee0175ff07cb747f6a

SHA512
9155dc91b88367b8447ca471aae6501cbbf15f8cddbc20b43699bf967a6d16d7b1df845ea7ee0d8d633b29860735cf1f6b7deb4f50561873810537d61daa7c46

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
12KB

MD5
5105626f1b5768ff2c2ca825a5c85772

SHA1
d44adff99268e3d84b6f2fc50b69761a23872622

SHA256
ecc961578d62e44bb88b751ddd9a0f839a9af920aa5da0ca0137dbbd85c2a761

SHA512
92cd28b84de742eabf3134b2348c4ad8ee37cffc1fb3dc9da6cdff6a2c296bd0e5b0b8aef9315a696520434e4c18429acdec08a1dea935e87f4d7074bcf56e33

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
6940a8f686f7480f5bd91de5f210107d

SHA1
0354ecaa2240afb2e329b3f425ec514a9ef03138

SHA256
8be3854b85b64325606b2bf2b02d6e6de1b674f6b5f7dd99390605800f513093

SHA512
b205ad5d590d9ad4c105b2e8957abd899576d6e82ad9725cc225d7394ce59ac0f678297cea3efaf44759a61144b844c32ab271ba67e76ca58157eeb2df291af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
180B

MD5
e4e11a44aace856dde05041b199f1b46

SHA1
b7acdac653dfef3e92f2c2e80a84211fa8ca816c

SHA256
b07098d44520991b19adc52c4adeab1e933ddffaefdd23a7335b56d738c3d8a2

SHA512
21badce45ff304b1e46fc83307eb92b79b390c665597d2f9a8c419e32d14226524e64becfafa0f39f1f8a20148dd1a661474f2bdc9ba108317536933a6902b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
202B

MD5
6eac37bb8e931fe287164140e2026307

SHA1
19d543c7f635b650708efa47d4bf489af84486bf

SHA256
043dbab16286b77c7547034d29ec519fbecdd65b320709a41434b0f6b1f49aee

SHA512
7a82b1776e32e28741e26037b7537dd07612c5d0d65f80de037020961ca58cda43cf0e9655685b83d957e26e658a2e8e7c514ac36532a2d04cc7ff0c8e444699

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
67B

MD5
b226fc53ef7c9647dc4afbce9c03dd61

SHA1
d07960ff351e5112c5ed83d6f496cf7f7f64b308

SHA256
9d21a1ecc5c75108e77e1da43a323fd496bd88a1a3926f140a8d039216754db7

SHA512
56caf080c7286bbd0f964caaeb64838edccedca7a1a80ef3a11c053f4408046beac12f7e1f2077fd93a90d027a18e9051a6557d30c0a2f23c2de20f0c154de7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
135B

MD5
7ae754188eb884091bdd251de8973ac0

SHA1
e63d64a750d8ad3ffde78d3680140bff63aebda1

SHA256
e78eefade536951f955aad3cc7313d45d8f1f0779fb5588bb99bc8e18a7aeb5e

SHA512
318c9ee67e9375bbecd159c4a8c4c10e50e921b19c68af47355a069a214ec91f59c26b917027fa98b58aa922275b348c6c69fc29a7bee128837e90411da81d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Zerebos\BandagedBD.exe_Url_23onyxrretpnqmtbcmm1dyw3v2t24ij5\1.0.2.0\user.config

Filesize
815B

MD5
b69c3b40198f603dc16ffaabd1ae437d

SHA1
7c470f18f969d65270fb82dea70175b396575a18

SHA256
f2dd28c2aeec722846e9ba5e902f1b0dffaa267ce493ad81e21e38579ba49de2

SHA512
98f47d3e35560e240a0db24ca380030a9585d28401ae59914968861a813d018134248e2919ed8dc11a1c50d279941f519fa84c2f2cc7ebf852ea608d08ea6b80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
7KB

MD5
7411ca04ecb94a84b02f7f98050bf82d

SHA1
c5680deb67ae36b4f81502c0f1b677f988cc8fe6

SHA256
c848d3f584e1a500d777821c3628f42a5aa8f73fef4db1b3e51a5bd43c90681c

SHA512
a1cdc5036ff391acea7756ab5e6e04eca665ecc26b6ef9bb41395cad1b246095f80e37a2e788a91e5a600189978e0b39d32e4d566d81e818c1374d68abf99e98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
11KB

MD5
edc062c78a4310e6ba510e01c9e5917d

SHA1
cf2c2b9bb344ded05e758d7021b2f4913537da5c

SHA256
d722a5d56aa48325c5dc02fc0ce822adb8236814dd7d9021221c6c9e0f094f9d

SHA512
4578a2c31d309414dec309bca9faf8d423331a8635109ad635972e516b4117f4af001edb63f73ea8189bd381bfed50db74472672ed579e963386fa0b3f193b52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
26KB

MD5
bf23f3bd229c4cad6e5905a9593cdf61

SHA1
18bc3423438980e9fb7b0c326e6d31df0c4e8a98

SHA256
e6cb3335757bf3e9b7e2cea1d541bcff09f35a966982446027fbde75b836765e

SHA512
13b775678d09c762aec54026be856549f825d01cb8829ee57019d426e6b72812017c5c812f79ecc184c38a427c16c63af88242c94ea00d0d6e668a065b172f62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
90f9bbabc9a0585eb54896a0884fa913

SHA1
23e5d0a37497bb9270b6613daf80dd259adf204e

SHA256
f4fc304d7f48f92a14c8503483754444f751d93975a9509e837d9ea7c36bc40d

SHA512
d8b0c5aa8084e5c3d342d999c5a4c76a29261b519359f6b649a20e8fc647d3c7382981d43c3c13e45b01a25b225ee1434fa991c440e069e18beb1d719516bad9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
8dd49c149553045f7e2f7d7ec483cba1

SHA1
02fac95031857778af6d25faee1ec9fa69c3c0fc

SHA256
ea7ccbe7e0e9db0f3a2fc66a693f1a0f03dfd688e1f8f313443af09d61bc710c

SHA512
99f2c0815b6dfc49696756026da4a473eee7094c7b627dedfe5c4e444f9d4031a16ae8aa83203d8553b5422e54d0b6850b3081846be528ea2dde5b27e99dba14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
723307331db94e22551560f30056f3db

SHA1
894f10db4ac6fb0b2e309440af7cadb859e01741

SHA256
f234d90505091ac197c4ae7b05119fe2aa2ef34ce8b7c9e71c9bc4b2cc3859bc

SHA512
fcf013440bf71f79577ec0fdb32f92bc2ff4cc1a98b156b2c33acc0f9b826ee0ea5b280f724f0836c1ed61be63b042de8ef1e20130ed527ce3ce09f02db86444

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9c3270c1cc369275bd3e1530c753cbb3

SHA1
b88475853ba5c0baf15905421b7a446641b9f651

SHA256
3fc02ac75fad7ca279499bf03c660bcb43b649a5559c7f5cc857e23ff95df435

SHA512
26bddb2da1f20dd9b4110b3bbcd35f2bda2f19fb609fcbd71dc69836b39674b5f51effb9d1d2c6bb6d30062f8917ebb52ac7e9976e243356b2721a0b47086112

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\2e0742ce-4d29-446a-b4f5-6f0a6c263b75

Filesize
982B

MD5
60cd9b09708f9831307aadcdd047b13f

SHA1
c0debe8d87c5f974fe2879fdde5ab0673c7b1181

SHA256
1bb9ede04bd5365f8c8ac7646624f8bf485731dd1eba8cb75ebf20fdb798170a

SHA512
75492f0f74e8ed2ee146771e32cc9fe7481e32634e71ad011f5789ecaa1d11418b2bfee80bc3be9d48f46b37911b6bb7b3796c7673965cdb00e503bde8f9790a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\44d68546-6b47-435c-846f-23a669cb4bab

Filesize
26KB

MD5
8326336ffb9ad554253a11ccdaaa502d

SHA1
7fa0abe5d89f22908562b008c5fc940c17a4d4f3

SHA256
d3e17bda7dd1cfa31f83dbc1c33e79c3f3be190c8859ba82f6b3b6308f11d284

SHA512
eab133e8af68ac316908f4137d915f394efc26fc22a3b4b5ea44e2b111d1cef46c1bd95f3b9ed2c991036ad859bf233cab60e98aa5cf050569ffd153e92a243d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\754bdb4b-b8ea-4411-8b08-1d0c5341d82e

Filesize
671B

MD5
1de0447f1d797b8d286978a47fe9f627

SHA1
22e734c71d38a54f79de8ceb4d2012dce7d6b2cc

SHA256
15c7bef01652febce5c932e85186ad673ae94d852199c16602c147a6608698c6

SHA512
82dafbdc107a46da2ce301183f985a698d276bc079458f1907d61967b2905a51189be71235138496aacd64846cc304cbad3889c99846d05e7166360985f35176

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
11KB

MD5
886ec154263849e62931f267eb80e357

SHA1
08092198fb81331a74cb248f549633e55f60667f

SHA256
e777b79da4139a5349cd3d72df3b5a4298e6e64b1133d8f1eb33adcf93c99259

SHA512
354d2a51be39feaa7e22d7e74d0df3f5c08b92245e053feedaf2e2d544d49f788ff1b5bb4f90c819a5e182fc40596f2f7035806467b4d156f5f3992ffc387c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
11KB

MD5
6aa6cb5fb48ca54a5acc8a7cc528067b

SHA1
f05d53d60b91b64529878af8c7c14abe7f0ec4df

SHA256
c0190c736fbfa37817e8e54756468291190d5e1bdc19c1d23c15394ab0e8d618

SHA512
f7f832fb5abe10a5d7f0a10b065de3b82ea40c8c9d49465ebecf237ac6f81e421ed49c1c7d33138ed579f326496d3753238275c0ac4de4b343e07ce0e8f9a121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
de4f9dec35419a7329583b25032fb6b4

SHA1
1d8ae779e97ac38221cab8c69665b75186795053

SHA256
ee61932f1348039473960ca886ce72aa3f78ea21081c2f99e6cb8bdd35b95beb

SHA512
fc8f4a54dc374a0cb1d93c2b947704223067a994517298a459bee3e90ee52c0471eca353138b39663e5cb6d7852885b12e38e8ba85605f1d0964171393ccd229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
12KB

MD5
b050362501355821e4312f6d2c8f45c2

SHA1
690c45cd430de8a57accd7530ee9aa44ceff82cb

SHA256
0ba7d75184608cedecd183d62e2d56cd916a07e1eefe733f626cd9e3bcacf49a

SHA512
fda45b4d9b27a60d1f5b103fc4f7beb4c2c990f8e26267f303a6a6c30a7388d1f8cf9fd752e9f996925c4a9e0437e7656e258a99d76a274e5ecc7062441b7ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
e4546256a6bd4c82d956a1299c1b26c8

SHA1
65208bfd4718e8b1948304af97441f973b0c7557

SHA256
452fa0968a1474599a3cb932d2782bdc2e1a66241e743df7b50f61867c6068b0

SHA512
2bc63a7b3cb8edcc9bb5a196d86f5d9a6c8f9d7ce37acdfdcfb5688e93eb57756accfabf62f7b9a1284405697fe8b4153e7495f9b3b2f2a3122b78d6ccbb5ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
708e0789101254068d5cd3df1b96eb2c

SHA1
f1b573198db0a9f0eff1132f1d3f405fba392bc0

SHA256
efa0facafa5d5ea0155e1d7862bb1c0ee8fad32a45107c9ae0eea1cd3a33fe92

SHA512
50909a455e99f9a47f09dc4f36a95e7d3ff701ecdaf1a2821c9e893034c1af3cf3cd592766da8d65ec0d94fc3f80ced7725e9847e5aec6926906472cf8b020e3

Download Submit
C:\Users\Admin\Downloads\BandagedBD_Windows.dilz3ZhR.exe.part

Filesize
112KB

MD5
5771dc777121b6db68b13177c6d2f479

SHA1
5da5787b7fc16b23a580ca2fb59e596d7ca35a98

SHA256
5381cf1c07d26fd6eaebf43c14e27edc787e03e2e2959d7fcc106196fce9516f

SHA512
fcdcfc0631295d3317063fc2b4e2054cff87f8bc597e0c4481c023d2afabbdd97180d15420b94882d2b85d7dd4d147975312bab6d22b9393f1e9009f03753d72

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 894368.crdownload

Filesize
112KB

MD5
402fbc0999cb0c517678676d31dcc578

SHA1
943db51502db80faad6c7eb76cc7094304a4db3b

SHA256
3b1a505b23715f16b1a8083f14f07b7bb619d1b42f74b2f5791cf5b02888bfdf

SHA512
b3793c9ab550103b697bcd75471bffac6d2285a9ee3910ba39ed21ae5160f8e8db57792d35633a5b36387cb131b65048a1db278f2c93d66c1d79d5829d1f6e63

Download Submit
memory/2600-1019-0x0000000008140000-0x0000000008148000-memory.dmp

Filesize
32KB

Download
memory/2600-1021-0x00000000081C0000-0x00000000081F8000-memory.dmp

Filesize
224KB

Download
memory/2600-986-0x0000000000FB0000-0x0000000001126000-memory.dmp

Filesize
1.5MB

Download
memory/2600-1022-0x00000000081A0000-0x00000000081AE000-memory.dmp

Filesize
56KB

Download
memory/2952-649-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download
memory/4016-519-0x0000000005A50000-0x0000000005A5A000-memory.dmp

Filesize
40KB

Download
memory/4016-530-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4016-518-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4016-514-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download
memory/4016-517-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/4016-520-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4016-521-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4016-516-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/4016-515-0x0000000000CD0000-0x0000000000CF2000-memory.dmp

Filesize
136KB

Download