cefe4e9c6fe234191788d51417bf9de9fb3a65078c6c4ad82918e35f70f415e3

Analysis

max time kernel
141s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/09/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orbit Executor_38541207.exe
Size

9.5MB
MD5

7c6ee11bb51836c324084fcc3c6e2445
SHA1

98a55adddca774d5e402bea0bbdf8054332975ef
SHA256

cefe4e9c6fe234191788d51417bf9de9fb3a65078c6c4ad82918e35f70f415e3
SHA512

f0adbe141fba42b56cf4594de8fee80d69da95478a8abb05d39dae345c735953e8c8927a34ea34bc5dfb039a65719059c1089dbc503761bb3dfb2ec679dbce24
SSDEEP

196608:aK0MPGCiZt9cKOrqNRxmQ3bKfIiaNPFHNRsiKS:J/Ph0SrqNRxL3bIIiEHMnS

Score

6^/10

discovery

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup38541207.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
46	raw.githubusercontent.com
64	raw.githubusercontent.com
65	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
612	tasklist.exe
972	tasklist.exe
4816	tasklist.exe
3700	tasklist.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 3 IoCs

pid	Process
4240	setup38541207.exe
3324	setup38541207.exe
4436	OfferInstaller.exe

Loads dropped DLL 64 IoCs

pid	Process
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe
3324	setup38541207.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orbit Executor_38541207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup38541207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3584	msedgewebview2.exe
3452	msedgewebview2.exe
2140	msedgewebview2.exe
5368	msedgewebview2.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4996	timeout.exe
3420	timeout.exe
3416	timeout.exe
3984	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Opera GXStable	Orbit Executor_38541207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Orbit Executor_38541207.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	Orbit Executor_38541207.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup38541207.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup38541207.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup38541207.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\v1.01.1_Orbit 2.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4632	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
4240	setup38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
4436	OfferInstaller.exe
4436	OfferInstaller.exe
4436	OfferInstaller.exe
4436	OfferInstaller.exe
4436	OfferInstaller.exe
2916	msedgewebview2.exe
2916	msedgewebview2.exe
5368	msedgewebview2.exe
5368	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
5024	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	setup38541207.exe
Token: SeDebugPrivilege	4436	OfferInstaller.exe
Token: SeDebugPrivilege	612	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	3700	tasklist.exe
Token: SeDebugPrivilege	2316	firefox.exe
Token: SeDebugPrivilege	2316	firefox.exe
Token: SeDebugPrivilege	2316	firefox.exe
Token: SeDebugPrivilege	4280	Orbit.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
5024	msedgewebview2.exe
5024	msedgewebview2.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2848	Orbit Executor_38541207.exe
2848	Orbit Executor_38541207.exe
4240	setup38541207.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe
2316	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4240	2848	Orbit Executor_38541207.exe	78
PID 2848 wrote to memory of 4240	2848	Orbit Executor_38541207.exe	78
PID 2848 wrote to memory of 4240	2848	Orbit Executor_38541207.exe	78
PID 2848 wrote to memory of 3324	2848	Orbit Executor_38541207.exe	79
PID 2848 wrote to memory of 3324	2848	Orbit Executor_38541207.exe	79
PID 2848 wrote to memory of 3324	2848	Orbit Executor_38541207.exe	79
PID 4240 wrote to memory of 4436	4240	setup38541207.exe	80
PID 4240 wrote to memory of 4436	4240	setup38541207.exe	80
PID 4240 wrote to memory of 4436	4240	setup38541207.exe	80
PID 4240 wrote to memory of 3396	4240	setup38541207.exe	81
PID 4240 wrote to memory of 3396	4240	setup38541207.exe	81
PID 4240 wrote to memory of 3396	4240	setup38541207.exe	81
PID 3396 wrote to memory of 612	3396	cmd.exe	83
PID 3396 wrote to memory of 612	3396	cmd.exe	83
PID 3396 wrote to memory of 612	3396	cmd.exe	83
PID 3396 wrote to memory of 4904	3396	cmd.exe	84
PID 3396 wrote to memory of 4904	3396	cmd.exe	84
PID 3396 wrote to memory of 4904	3396	cmd.exe	84
PID 3396 wrote to memory of 4996	3396	cmd.exe	86
PID 3396 wrote to memory of 4996	3396	cmd.exe	86
PID 3396 wrote to memory of 4996	3396	cmd.exe	86
PID 4436 wrote to memory of 2324	4436	OfferInstaller.exe	87
PID 4436 wrote to memory of 2324	4436	OfferInstaller.exe	87
PID 4436 wrote to memory of 2324	4436	OfferInstaller.exe	87
PID 2324 wrote to memory of 972	2324	cmd.exe	89
PID 2324 wrote to memory of 972	2324	cmd.exe	89
PID 2324 wrote to memory of 972	2324	cmd.exe	89
PID 2324 wrote to memory of 1652	2324	cmd.exe	90
PID 2324 wrote to memory of 1652	2324	cmd.exe	90
PID 2324 wrote to memory of 1652	2324	cmd.exe	90
PID 2324 wrote to memory of 3420	2324	cmd.exe	91
PID 2324 wrote to memory of 3420	2324	cmd.exe	91
PID 2324 wrote to memory of 3420	2324	cmd.exe	91
PID 2324 wrote to memory of 4816	2324	cmd.exe	92
PID 2324 wrote to memory of 4816	2324	cmd.exe	92
PID 2324 wrote to memory of 4816	2324	cmd.exe	92
PID 2324 wrote to memory of 4012	2324	cmd.exe	93
PID 2324 wrote to memory of 4012	2324	cmd.exe	93
PID 2324 wrote to memory of 4012	2324	cmd.exe	93
PID 2324 wrote to memory of 3416	2324	cmd.exe	94
PID 2324 wrote to memory of 3416	2324	cmd.exe	94
PID 2324 wrote to memory of 3416	2324	cmd.exe	94
PID 2324 wrote to memory of 3700	2324	cmd.exe	95
PID 2324 wrote to memory of 3700	2324	cmd.exe	95
PID 2324 wrote to memory of 3700	2324	cmd.exe	95
PID 2324 wrote to memory of 484	2324	cmd.exe	96
PID 2324 wrote to memory of 484	2324	cmd.exe	96
PID 2324 wrote to memory of 484	2324	cmd.exe	96
PID 2324 wrote to memory of 3984	2324	cmd.exe	97
PID 2324 wrote to memory of 3984	2324	cmd.exe	97
PID 2324 wrote to memory of 3984	2324	cmd.exe	97
PID 2848 wrote to memory of 4632	2848	Orbit Executor_38541207.exe	98
PID 2848 wrote to memory of 4632	2848	Orbit Executor_38541207.exe	98
PID 2848 wrote to memory of 4632	2848	Orbit Executor_38541207.exe	98
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102
PID 4580 wrote to memory of 2316	4580	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Orbit Executor_38541207.exe
"C:\Users\Admin\AppData\Local\Temp\Orbit Executor_38541207.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\setup38541207.exe
  C:\Users\Admin\AppData\Local\setup38541207.exe hhwnd=393624 hreturntoinstaller hextras=id:964bc9f9d4b9a45-US-u9hAJ
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 4436" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "4436"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3420
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 4436" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "4436"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3416
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 4436" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "4436"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:484
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "PID eq 4240" /fo csv
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:612
  - - C:\Windows\SysWOW64\find.exe
      find /I "4240"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4996
- C:\Users\Admin\AppData\Local\setup38541207.exe
  C:\Users\Admin\AppData\Local\setup38541207.exe hready
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dbee728-1fd4-41e3-9240-01b5121c3760} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" gpu
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2312 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb254af-6ad5-411b-8bd9-2f73130ab81e} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" socket
    3⤵
    PID:3740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -childID 1 -isForBrowser -prefsHandle 2548 -prefMapHandle 3096 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cac280e-2771-48a1-ab50-54b1bbeda9ac} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3036 -prefMapHandle 3164 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c33750c-8085-47bf-9b23-e427d3377bb9} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4584 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c9b4aa4-f202-469e-8151-91059657cc97} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" utility
    3⤵
    - Checks processor information in registry
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 4308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28efe327-6844-4cd9-87c9-210b3230cd6a} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:2264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c68a26ca-257f-4e5f-a04b-f0030fe7f4c8} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5780 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd13fd2-2aa9-4056-80cc-de7bc1e6263f} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab
    3⤵
    PID:2932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2552

C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe
"C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4280
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=4280.1812.14174820331338019296
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5024
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Crashpad" "--metrics-dir=C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x134,0x7ff8f58a3cb8,0x7ff8f58a3cc8,0x7ff8f58a3cd8
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3584
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2072 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2500 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3452
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2140
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4632 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPF6476.tmp

Filesize
17KB

MD5
93ad8800e31cf6e3851969647fa554cb

SHA1
aa8300fa7ba1e9aa7703729633c34e38e70b743a

SHA256
7d3e304bfb729e2c758396b6095682c416c4aecdba171205c1d470dcc272e7d0

SHA512
830444453a47539ee18a2f7524127d58ef50d9785496058beb002c60c4c2fb9442577cdafcbe68085907e8573ab01cac3b022c53109808167245f6dc85d1b4b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
da82c27a0ac7c5807be7657cc33758df

SHA1
2feb65dafeabad4050b0343552985895e11d7c69

SHA256
604d4cfa4c9ac03fdab9f9eff45cd5848205617b0bff77432e1801b6aed7fdaa

SHA512
36c9c3104dda90c4ef9a924331818079bcb85360402ba9f179eb7595092c350ed5b20dba0f686aa1b05b7c42d018081659bff051928cc85756b411e58b0bbd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\setup38541207.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

Filesize
8KB

MD5
c9ce44dd97dbf900d6a565545c429d8a

SHA1
a26e1875469bb24018ce68295c8ba9be308bcb29

SHA256
0e9239f1e8575b240c95d96a67bb195618c73da839bea874644bcf34c40bfc7f

SHA512
2c616a51dc1204d3c9cebf87582fb9b234cb30e707bff60edd77ca9ef41ea528263270e934bc61882ccf1a6d63019b7a93481af9580cb591c525c165f376e87f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
19edd101ad5b5f3a5e2a5f5c2dae3209

SHA1
0bd15f5e250ffbe6836afbc8743543deb754ebc8

SHA256
cfcdc82254b45da0229e852d23b235aa19a2ff65446b30e5b26d5fcd75360e67

SHA512
6ecade2eb4e3cf1abf803cb799d1f75e7eb3afb58edc5e8153fb49028e812ef085278acdd6ee007daa3cb82ed1b7ec0c26c82fa71145a062d296772516605e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
024cff32d48d5383133a8c02e4003a65

SHA1
caa860a7634814764dbd0200be122d6b6002a7f5

SHA256
0c463b13c62f174021bd1e63631a909a622f386b2a94d4cb9f0ebf80dee510d1

SHA512
ebf3c0d7512e4b3586366b158c243dd63f398356d031d1ade589e4372cc6317b61623adafd8b09c8f7c93141151643b83128051c7d379d6f63d252e6a918370e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
99718addc42227aefd3285855aca6f23

SHA1
3ca6bee5ae828e3cf7a989604c0f5c12baee6e53

SHA256
5e408d60c6a23d91349fc6320e1e1f7d006158cafdde4cdf586eb3d8d7af26f9

SHA512
3f3c353707a3cfc4daceacf1095f5a3bde0d57f8398bb7651b316fdf9ffc7a1570670dc9709634e46e01aa13164d250356d9693a17bc7f0249f233a81d2907fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\014e0ab0-efad-4591-a3ac-d773e3db257e

Filesize
982B

MD5
da176251407e98f0a17c36347a5640ae

SHA1
43d9fdbbd9ddacb0cdfcba8da7e92be578519363

SHA256
9b45931986f69807dcc704a6fcdb7bd92146d5411f3ae73f25efb0df9e1bb1a8

SHA512
01c155087335de8d1d8f01f1941e6874f1bfd5a099f763da872bf343cd93052b037b5181071785d29a83f4e4fa8b91f3fc59d5709a268e552c98ea46deaba21b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\3f845571-b8cf-4f92-9e69-7527192ca56e

Filesize
671B

MD5
92e6559559aa0708be99800ad9e3b00d

SHA1
cf2192ebef2f2bddba1696ad77a6a019983b1e75

SHA256
42d49745290971380dccc91d298787434146fbbc4c718bd84f0238a1fc8850c8

SHA512
892abf641e558ea615d3150cb95954354832ea5fba422d8db210e5be391753af8fceaf38ce290584184ef62720bb51499c9e323b89762474d44b511a8bffa180

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\9f1bf6aa-b159-4e68-bdbb-047922b2bf39

Filesize
25KB

MD5
e0dd272e78a4c06876b301b9e1f0b747

SHA1
8793ef84409557551cc354f33f415d6ba11d6740

SHA256
dd3e2d71b1a5e53dd84838c77016b23d16c5a8b6921961a91346f9815c6eb3f2

SHA512
e7dc4d5f0c928b5c9f4f741d965bc5fc27b674b2064a1a448ff746600d7f833fc8d4fbbfe469356a6337dd86aa26ddb16800fa0ecb931641050a01928224921b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

Filesize
11KB

MD5
90eca297f6c3b70ee86db716bb9b79d9

SHA1
96002bb03ee8be05043643e74ff61ac87e43a84a

SHA256
8757eb0d325c6a251c97454431a77c13f7243685121fd763c9665c49e81c6533

SHA512
c3b67db62aee0ebbdc1b9755b60ed81087f5c6e1e9533b754eb743f004e559358539f774d8d6d9c447c718c5cb475ac6771855617b0d996a87365517e3205cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

Filesize
11KB

MD5
fe9decc2cd1e15244ead2c879790ba06

SHA1
70abf2a4376688e957da707a8e2d473ce8cc087d

SHA256
c946f9fed27335577ee5b841b7c2251103511ba17a15990cb81122fdd32d8843

SHA512
23abbdd50befacfc17001315b8c4dcc3cdc8f82f9b41ff2877859ea374d51b8ff2479223e931508c0fcb82ce124b41ea020a79070ba2b9726b744b568a9470b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
11KB

MD5
91893426819e6aabd77e61b5632437cd

SHA1
5379f1e15d5f34968d41af1ddc2a8aa6e6b550be

SHA256
1df41308cbf28bd4b35f9f297a453a0c40179b071505d74c10397bddf6d708cb

SHA512
1b2d1f897187357910d7d55cd9f28eaae47f1743dc67134549555554d795f131273cc82a8d21d0c83f2c068bf87bb457663f0b1d34f0bd4dc18bdbf27036ecac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
f244e861e17fd86d2a7faff38d3ffc66

SHA1
888bddbbf9dae94df89a1f9788689525d8a2df5a

SHA256
ecfea9f2d3c9774f10f5e2e097106e833106d57f462e6e02c59a065453942dd0

SHA512
ef1964ff79d435e498378eaa4751aeb0a955e6a6e560f284a43fbb1899e64b45753576ab724a90c154ceb1f34edd5304f2b6af0811632aae3a5bb6ebbb0d5146

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
0cf9b003b0af013750e06e6da753f613

SHA1
20e5a8d6de6fdb9cd50e4509ce61b0537f845c83

SHA256
df3df8d831afea1763c6a969ecd3ea57263d9fb77c700ecf5ac78846444874f0

SHA512
545dad3610893643e1f0521c76c59fae07afd5888e372d91a5a697d37b88a196b4389613f9dc2bdb97a0a935f09d1fdb8239ba8c4e9632b9beaffa843cfec0bc

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
8d01233cf101c69d82040f8be773b824

SHA1
d46214cfecb03565f90b3269036024ac3b986596

SHA256
c46a9fdc41d4544a39aa83351a00f41c91451c42cde9a6c024e3cf5b460a5693

SHA512
7437a2b528193f415ebf96b3eddce1392c2fd6fe095611a8f72dc2fb954d62e4eee8b3ee77f97cd43347a29e8ad4ff766c073115906998b54adcfb6b095ca574

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Network Persistent State

Filesize
299B

MD5
b5c33fbfda6e5471b869a9d2784e0ad7

SHA1
0b792318360bceaa7272c66c16d6330d19dcc2d9

SHA256
875ecf86874ea91b87986d53c3c51a52d1c44236421c3e350eea32264a5eef9d

SHA512
a3e992d523ae55133189bac8bf675d02b3566e15479e73548caaf66589aca521a91d9fca68e482886ec4c083f7cd1d648f7e572766b47fc91bedd047511fae49

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Network Persistent State~RFe597a37.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Preferences

Filesize
14KB

MD5
ad2c5e623c5ffe2d5e55c381251073f2

SHA1
84ea9dfe181d978a68a351fcc1404e885ab7df84

SHA256
55b85b700fb82805762a7bbc8db1c3c2ab9f36c1da7a7162717ba7b2ba3ee501

SHA512
d300505b56cc7837a591df3ee8bb0ba89a1db2711673bf3953b5ebf038197f1c7fc1a1263b91279c08fe90b179bc9baad2b4adda954c8c19b05601fdc01a4db2

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Preferences

Filesize
10KB

MD5
8891338fa16fc3bb1982f8427833792c

SHA1
70924f473f99399ec7070315cfafdbd1c4daf15f

SHA256
c8305a9a9c42354d9fdc88a9d83fbc1e1288eb6d767110b6d23d57bf5d768e36

SHA512
205bcfb78eb460fdca75b6eeefb6b265c84d5e2865cd42452ef442ce5a946555cd0fd35099485eefb97347a1a88c2cc5dfa359a2e03831f410399214fb50f06e

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Preferences

Filesize
10KB

MD5
2188b4e12047e63006a971bc4b7a2559

SHA1
b09e6afa011c57ce1b7cccab1672f471f300dcd0

SHA256
5afb96241ffa2602b5c506b0dba0622184150eecdb00b5dd4230d0fae88607df

SHA512
443b90400659bbb75e1cdc7b53a324c19553c1a9a6a29078d939a0c9e52c176df60fc8ccbaf3c89bbba9dd19ba51953d163e52776b34cac39ad94f8343e1fea8

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Secure Preferences

Filesize
6KB

MD5
914eb7f2a3d88904bb047acb0eada080

SHA1
f9b2b9879695d552feee5b44afaa23908eb72b5a

SHA256
f146730cc192bb573035a919123559af1e8d35cda487fa0d0f2e68f2c7a7b296

SHA512
eae513954f6b112e48cbe92eccc415e6e4b7f857393950d79db00d5b412eab6b11b9c45eb9492a302839d7f000ab95fcd9e2210e6aaafe5acc55eb192b51a949

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Local State

Filesize
45KB

MD5
b8ac648da3f1d3b657feeb8d1ca4b9fa

SHA1
6193fa0e06bd28b895937d39b56a422c2baa09be

SHA256
43934d9ab32058a86c0c545a275a0cf3324a811ada87f96dd2092254ca008fb4

SHA512
8ab89091605b56a569bb1ea9aea76cb712bef52cfea5bda3275753b0af6994f1c451cad7560618a3f374c575a27fa5202b3d3abc9bc1703022687738519461e2

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\ShaderCache\data_1

Filesize
264KB

MD5
82c6fb898bbfd0e6404729b2cf84d2ed

SHA1
b6dda7e507118aab605dab5469c587ccb28af303

SHA256
eec9ca1610d7ce1930e14ef3eb1496d67987cb7db580b50badfc99fbc8fefaf7

SHA512
fd291cab836ddbe6440e06fce177f927f758fec71e82c92324c62b92b987eb3f8806631a000eca3da28b2c27e4a128d190427dd52465ee5e420461b350d07050

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Subresource Filter\Indexed Rules\28\scoped_dir5024_575589820\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\Downloads\v1.dwP4yUnx.01.1_Orbit 2.zip.part

Filesize
4.7MB

MD5
617465ad5938f94074e03b6857ac37bc

SHA1
dbcab7462c93744ccf24be5e8f54afe5e09f9579

SHA256
bd00399dfaad1c2165994f849632a493131d6f6b6c4678b0e7dfdd7707f98fb5

SHA512
e5a1051528b20091b4df2b123cc15103f3c9f83da9e172fa5230d18d32d41c72970c3ff5387f3670055edfd1c65fe6f8827eb7735465ead46878154c7c0bdc5a

Download Submit
memory/2140-1396-0x000001D600010000-0x000001D60007F000-memory.dmp

Filesize
444KB

Download
memory/3452-1395-0x0000023780010000-0x000002378007F000-memory.dmp

Filesize
444KB

Download
memory/3584-1394-0x000002BA86760000-0x000002BA867CF000-memory.dmp

Filesize
444KB

Download
memory/3584-1299-0x00007FF9178B0000-0x00007FF9178B1000-memory.dmp

Filesize
4KB

Download
memory/4240-78-0x0000000005F00000-0x0000000005F32000-memory.dmp

Filesize
200KB

Download
memory/4240-62-0x0000000005E30000-0x0000000005E5E000-memory.dmp

Filesize
184KB

Download
memory/4240-17-0x00000000718DE000-0x00000000718DF000-memory.dmp

Filesize
4KB

Download
memory/4240-275-0x00000000718DE000-0x00000000718DF000-memory.dmp

Filesize
4KB

Download
memory/4240-215-0x0000000006380000-0x00000000063AE000-memory.dmp

Filesize
184KB

Download
memory/4240-198-0x00000000078B0000-0x0000000007942000-memory.dmp

Filesize
584KB

Download
memory/4240-187-0x00000000087A0000-0x0000000008D54000-memory.dmp

Filesize
5.7MB

Download
memory/4240-181-0x0000000007C30000-0x00000000081D6000-memory.dmp

Filesize
5.6MB

Download
memory/4240-178-0x0000000007550000-0x000000000755C000-memory.dmp

Filesize
48KB

Download
memory/4240-172-0x0000000007190000-0x00000000074E7000-memory.dmp

Filesize
3.3MB

Download
memory/4240-171-0x0000000007160000-0x0000000007182000-memory.dmp

Filesize
136KB

Download
memory/4240-170-0x0000000006CF0000-0x0000000006CFA000-memory.dmp

Filesize
40KB

Download
memory/4240-165-0x0000000006D70000-0x0000000006DFC000-memory.dmp

Filesize
560KB

Download
memory/4240-144-0x0000000006690000-0x00000000066A2000-memory.dmp

Filesize
72KB

Download
memory/4240-94-0x0000000005F70000-0x0000000005F94000-memory.dmp

Filesize
144KB

Download
memory/4240-110-0x0000000005FC0000-0x0000000005FC8000-memory.dmp

Filesize
32KB

Download
memory/4240-128-0x0000000005FA0000-0x0000000005FBD000-memory.dmp

Filesize
116KB

Download
memory/4240-18-0x0000000000F30000-0x0000000001308000-memory.dmp

Filesize
3.8MB

Download
memory/4240-118-0x0000000006010000-0x000000000603C000-memory.dmp

Filesize
176KB

Download
memory/4240-37-0x00000000037C0000-0x00000000037D4000-memory.dmp

Filesize
80KB

Download
memory/4240-50-0x00000000718D0000-0x0000000072081000-memory.dmp

Filesize
7.7MB

Download
memory/4240-54-0x0000000005E00000-0x0000000005E28000-memory.dmp

Filesize
160KB

Download
memory/4240-276-0x00000000718D0000-0x0000000072081000-memory.dmp

Filesize
7.7MB

Download
memory/4240-45-0x0000000005DD0000-0x0000000005DF4000-memory.dmp

Filesize
144KB

Download
memory/4240-70-0x0000000005E90000-0x0000000005EB8000-memory.dmp

Filesize
160KB

Download
memory/4240-296-0x00000000718D0000-0x0000000072081000-memory.dmp

Filesize
7.7MB

Download
memory/4240-86-0x0000000005EC0000-0x0000000005EDA000-memory.dmp

Filesize
104KB

Download
memory/4240-102-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

Filesize
40KB

Download
memory/4280-640-0x0000000009BE0000-0x0000000009BE8000-memory.dmp

Filesize
32KB

Download
memory/4280-1266-0x000000000AC40000-0x000000000ACB6000-memory.dmp

Filesize
472KB

Download
memory/4280-642-0x0000000009C50000-0x0000000009C5E000-memory.dmp

Filesize
56KB

Download
memory/4280-639-0x00000000003C0000-0x0000000000BDC000-memory.dmp

Filesize
8.1MB

Download
memory/4280-1274-0x000000000D020000-0x000000000D1A8000-memory.dmp

Filesize
1.5MB

Download
memory/4280-1271-0x000000000BAA0000-0x000000000BB06000-memory.dmp

Filesize
408KB

Download
memory/4280-643-0x000000000AB60000-0x000000000AB6A000-memory.dmp

Filesize
40KB

Download
memory/4280-1268-0x000000000ACC0000-0x000000000ACDE000-memory.dmp

Filesize
120KB

Download
memory/4280-1283-0x0000000006530000-0x000000000653E000-memory.dmp

Filesize
56KB

Download
memory/4280-1285-0x000000000CF90000-0x000000000D002000-memory.dmp

Filesize
456KB

Download
memory/4280-1281-0x0000000006570000-0x000000000657A000-memory.dmp

Filesize
40KB

Download
memory/4280-650-0x0000000006250000-0x0000000006262000-memory.dmp

Filesize
72KB

Download
memory/4280-1397-0x000000000B800000-0x000000000B808000-memory.dmp

Filesize
32KB

Download
memory/4280-1398-0x0000000011110000-0x0000000011136000-memory.dmp

Filesize
152KB

Download
memory/4280-1264-0x000000000B290000-0x000000000B5E7000-memory.dmp

Filesize
3.3MB

Download
memory/4280-1263-0x000000000A410000-0x000000000A4C2000-memory.dmp

Filesize
712KB

Download
memory/4280-1262-0x0000000009A70000-0x0000000009AEE000-memory.dmp

Filesize
504KB

Download
memory/4280-641-0x0000000009C80000-0x0000000009CB8000-memory.dmp

Filesize
224KB

Download
memory/4436-293-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download