asyncrat | 7346914f0703f198aeaf4d8417ba2f729cde3e8b034e2803f94b07800d7a4e7e

Analysis

max time kernel
2699s
max time network
2696s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idontwannabetrue.exe
Size

45KB
MD5

65702e476fe79a572631dc686ce6e4df
SHA1

2afd23c0ed708604eb5382cdc6402b4e90a68466
SHA256

7346914f0703f198aeaf4d8417ba2f729cde3e8b034e2803f94b07800d7a4e7e
SHA512

0c6132ddf953b44ab98c0f118533315bc10c1eafcd6521b8e1376f856de9620b32e5b0905f783423f9b89aabd2284ad4aa36b51ff09c5850a4880ecdeb232269
SSDEEP

768:Ju50dTtQpVBTWU/fShmo2qggfayJFxiOPIBzjbMgX3iUUacah3UjNMLBDZbx:Ju50dTt0y2KRG3B3bDXSUUTNMddbx

Score

10^/10

asyncrat default discovery evasion ransomware rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:62565

127.0.0.1:4782

127.0.0.1:1501

Cristopher11sa-62565.portmap.host:6606

Cristopher11sa-62565.portmap.host:7707

Cristopher11sa-62565.portmap.host:8808

Cristopher11sa-62565.portmap.host:62565

Cristopher11sa-62565.portmap.host:4782

Cristopher11sa-62565.portmap.host:1501

190.104.116.8:6606

190.104.116.8:7707

190.104.116.8:8808

190.104.116.8:62565

190.104.116.8:4782

190.104.116.8:1501

azxq0ap.localto.net:6606

azxq0ap.localto.net:7707

Mutex

E2qgtjRHaRSi

Attributes

delay
3
install
false
install_file
Java updater.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

idontwannabetrue.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	idontwannabetrue.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

idontwannabetrue.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	idontwannabetrue.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 8 IoCs

Processes:

wmplayer.exeidontwannabetrue.exe

description	ioc	process
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-87863914-780023816-688321450-1000\desktop.ini	idontwannabetrue.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

idontwannabetrue.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp31A1.tmp.png"	idontwannabetrue.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exewmplayer.execvtres.exeNOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEcsc.exeNOTEPAD.EXENOTEPAD.EXEwhoami.exeNOTEPAD.EXEidontwannabetrue.execsc.execsc.execvtres.exeunregmp2.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idontwannabetrue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

idontwannabetrue.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\WallpaperStyle = "2"	idontwannabetrue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\TileWallpaper = "0"	idontwannabetrue.exe

Modifies registry class 4 IoCs

Processes:

OpenWith.exeidontwannabetrue.exewmplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	idontwannabetrue.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Opens file in notepad (likely ransom note) 6 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

3344 NOTEPAD.EXE
5904 NOTEPAD.EXE
2012 NOTEPAD.EXE
4296 NOTEPAD.EXE
3640 NOTEPAD.EXE
4384 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

idontwannabetrue.exe

pid process

3524 idontwannabetrue.exe

pid	process
3344	NOTEPAD.EXE
5904	NOTEPAD.EXE
2012	NOTEPAD.EXE
4296	NOTEPAD.EXE
3640	NOTEPAD.EXE
4384	NOTEPAD.EXE

pid	process
3524	idontwannabetrue.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidontwannabetrue.exemsedge.exemsedge.exe

pid	process
1396	msedge.exe
1396	msedge.exe
2144	msedge.exe
2144	msedge.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3176	msedge.exe
3176	msedge.exe
5536	msedge.exe
5536	msedge.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

idontwannabetrue.exeOpenWith.exe

pid process

3524 idontwannabetrue.exe
3580 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exemsedge.exe

pid process

2144 msedge.exe
2144 msedge.exe
2144 msedge.exe
5536 msedge.exe
5536 msedge.exe

pid	process
3524	idontwannabetrue.exe
3580	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

idontwannabetrue.exefirefox.exewmplayer.exeunregmp2.exewhoami.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3524	idontwannabetrue.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeShutdownPrivilege	5840	wmplayer.exe
Token: SeCreatePagefilePrivilege	5840	wmplayer.exe
Token: SeShutdownPrivilege	524	unregmp2.exe
Token: SeCreatePagefilePrivilege	524	unregmp2.exe
Token: SeDebugPrivilege	6036	whoami.exe
Token: SeDebugPrivilege	1700	taskmgr.exe
Token: SeSystemProfilePrivilege	1700	taskmgr.exe
Token: SeCreateGlobalPrivilege	1700	taskmgr.exe
Token: 33	1700	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1700	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exefirefox.exemsedge.exeNOTEPAD.EXEidontwannabetrue.exewmplayer.exeNOTEPAD.EXEtaskmgr.exe

pid	process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
5536	msedge.exe
5536	msedge.exe
4296	NOTEPAD.EXE
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
3524	idontwannabetrue.exe
3524	idontwannabetrue.exe
5840	wmplayer.exe
5840	wmplayer.exe
4384	NOTEPAD.EXE
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe
1700	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exeidontwannabetrue.exeOpenWith.exe

pid	process
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
3524	idontwannabetrue.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe
3580	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

idontwannabetrue.exemsedge.exe

description	pid	process	target process
PID 3524 wrote to memory of 2144	3524	idontwannabetrue.exe	msedge.exe
PID 3524 wrote to memory of 2144	3524	idontwannabetrue.exe	msedge.exe
PID 2144 wrote to memory of 396	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 396	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 3864	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 1396	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 1396	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 804	2144	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\idontwannabetrue.exe
"C:\Users\Admin\AppData\Local\Temp\idontwannabetrue.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe39e246f8,0x7ffe39e24708,0x7ffe39e24718
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,9808982681752328639,10626814903143845324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,9808982681752328639,10626814903143845324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,9808982681752328639,10626814903143845324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9808982681752328639,10626814903143845324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9808982681752328639,10626814903143845324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9808982681752328639,10626814903143845324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:3472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gbd4ltdh\gbd4ltdh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A4.tmp" "c:\Users\Admin\AppData\Local\Temp\gbd4ltdh\CSC1199E9804EBA44D0ABF8B35FFD9C4EE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfbm3dxt\mfbm3dxt.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC19C.tmp" "c:\Users\Admin\AppData\Local\Temp\mfbm3dxt\CSC342FFC8A5AC84B53A39E706489A8176E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbzfwryy\jbzfwryy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF9.tmp" "c:\Users\Admin\AppData\Local\Temp\jbzfwryy\CSC4DABBFCF53D0425C86C6D6F6AC3E543.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x64.log.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe39e246f8,0x7ffe39e24708,0x7ffe39e24718
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1401730938368477564,18326754730053866211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:5808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1401730938368477564,18326754730053866211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1401730938368477564,18326754730053866211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
    3⤵
    PID:2008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1401730938368477564,18326754730053866211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1401730938368477564,18326754730053866211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:5724
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:5904
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2012
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:4296
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:3640
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3176
- - C:\Windows\SysWOW64\whoami.exe
    whoami
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6036
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2360
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10513df6-1034-4b99-9f8f-12df247d0dbc} 756 "\\.\pipe\gecko-crash-server-pipe.756" gpu
    3⤵
    PID:3504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7984aa6-7108-498a-ad02-ac23276ff3a1} 756 "\\.\pipe\gecko-crash-server-pipe.756" socket
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3084 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3096 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6051e92f-a522-40cd-9acb-11a41a6a54d0} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3108 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34529b05-d59e-4ab9-b980-2f49492198d6} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4228 -prefMapHandle 4516 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a419be8-16ca-45c9-9371-f1e38bf8a6ed} 756 "\\.\pipe\gecko-crash-server-pipe.756" utility
    3⤵
    - Checks processor information in registry
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5692d4d-59cb-407c-a630-4ac8193a85e0} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:5692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab7bab1c-b7cd-4362-9b93-b54bab9ca65a} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0884df15-b762-4318-a62b-4302979601b2} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3e9584b-0c77-4515-9b9d-d664c0a1f11f} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -parentBuildID 20240401114208 -prefsHandle 6444 -prefMapHandle 6500 -prefsLen 29408 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efbbf79-014d-4e2d-affe-5dce526e7785} 756 "\\.\pipe\gecko-crash-server-pipe.756" rdd
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6604 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 29408 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91110780-6def-4368-bcdb-5ec2994184f8} 756 "\\.\pipe\gecko-crash-server-pipe.756" utility
    3⤵
    - Checks processor information in registry
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 7 -isForBrowser -prefsHandle 7048 -prefMapHandle 7052 -prefsLen 28292 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a802ac9d-7f75-464a-87de-a57f7aad55f1} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
    3⤵
    PID:548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5840
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3788
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3580
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\fuck
  2⤵
  PID:880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6126b3cef466f7479c4f176528a9348

SHA1
87855913d0bfe2c4559dd3acb243d05c6d7e4908

SHA256
588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4

SHA512
ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58960c4568ef706d07acb81f072ec73d

SHA1
0d2f6a150ae9f0611086ed3f04943bc7005ca926

SHA256
9ae8ad2f18925558eaafee959349005a05f0280e35e5e1f5b183ba6616808473

SHA512
cf77f1879a1df8c926b97c1369973f5329b1b7219439ee1a80572628662995b6cb24f20d4b24a166dfdb697ddc8dfda2372ebda364f11baec4cdd9ca94e29e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1988c403aabc6359dd86509f5eb2a0ca

SHA1
a96943fc39032b42cd9d6af32ee1f776952db4fc

SHA256
0ee1246b34712c5fb6db3d850b8b62be7326dab36fa49da09bdd0ab34bc1a4cc

SHA512
862e8d596b58359dd5bd7f4ff8b1aabbb344c0757b69a913d8cb2400ea88aed98c8f399818d77eb874628268f5c4e0fa257d865cfbff2a3823a7056f0201494b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dda6e078b56bc17505e368f3e845302

SHA1
45fbd981fbbd4f961bf72f0ac76308fc18306cba

SHA256
591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15

SHA512
9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
00e5e6b4452d805aff44364db900a7f8

SHA1
beed66984e8e4776eac8441d8c37ff34c448211b

SHA256
5260e59241befd928cbb00b84827caa8e53026e5c36d396f71d279d7aa55de0d

SHA512
d4428882752f4a3de20f9879250f49ffc2468e1d27e5f632b42b7056ea72833edd24c9ee648c9b67caf8aa44d70a8a3fa54fd0c1bcbcb1350e39cc99a5c33a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58a822.TMP

Filesize
48B

MD5
3731452ec5a1952485f5b134f93671b4

SHA1
875ad1ed6f8fbc5ad053fe3829cb1b29d640a808

SHA256
1e3ea38f463b4f72302525903afbc5b432825cbd25892e1ba84dc0cf0a217f44

SHA512
4855e4fddd8b7f6f1e672fb196a6a0ca4980419420a67161ffce9bff273916657cb0656473a85553ccdb4549c88f02637fe1a3ef5dac05c9481d61b4fcaf0b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
3535d7275d2527b1bc448797c0e66ffa

SHA1
5f860a537cdad2d0920c1a54893deb9234f47bbc

SHA256
75f94ec2552e1cc1eab92bc62568f38012405d233db108844420de8625722538

SHA512
ab73f69876c59646ca381d0bea0e948e733c5b9ddafec4bdc52646c6a144a06df1e67cb71a730061ecc641e3e7ceb9093af2a2f8f752765cac43b4b23987c082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
d2336261f4dbdf5668aac4cd93488ddf

SHA1
f293e38d6ff017ceddbf79ac6942a0b7bde505a4

SHA256
190954d457464a13cfa03dfb6857c8999003d5b838d37fe7945815a74d84efcc

SHA512
72461b299d3357b40b583bbd5a44dbffcaedd0e084c547cd1d3687aee881ce5f38fbd92baa2afd0f9ef52edbe56a20331f1669503693d878afeebb66ce0eca7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
3a33c59d9edc0db3b7333757ef08a998

SHA1
d67be9acc4cc07f1d5edfe396c24f2c86733660d

SHA256
f9e90a5d8211b6a38b82b00cbd5b5bea427ced43d2210c6a3850103f79d82f21

SHA512
cbeebc0f9609b6bf48dc666d8ba1624f24e254faceda0d106313aabcb065c7f35aee92f0518353e959b5584e639d50980bf08a8826c91ffd791a84c40b68ffe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
bfe440fd68d9cba74475e5adfe34e7b0

SHA1
c8c6dfa7de7da2eb98d9f7c1235c4ec93ddc7224

SHA256
03187527e8a69f49cd026b4a4de9cfdbe077950d4ef831104d49e8b6a3b7f408

SHA512
c3d6289ecfab5169b4fdc016fe13292d9ef686c3dd1de8ae7738e656e40c1eca8d8e4d1ba740b0244bac7dce41054a6ba8cd94ef2039f49dab7317e6d334a77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
125B

MD5
cc8e351c89e3d0de3611e9582b78d420

SHA1
858a81e880fc88f444a6932d1e3f765dc7d855e9

SHA256
bcb5c1827816170a31e0b499fbadb2525ffa12802d4f08c1145026e9dcdf94cc

SHA512
739603edef44383938d8b3246b909242f8cf5d114a3a154a59ff225c9dcc5f0651c3393dccab4fb66588aff5a47b7de7d2520b11ac56281870f3eee8713e7156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
291B

MD5
40ea1903e1f5d54cf4d464951e4e248d

SHA1
ae7edd3241e983a97cf314a2494f8fae18edcc47

SHA256
c5d0ad0b8b7a27d22422cdfdbc33bc14fa503e69bf3ad6803152dd7217e81a0f

SHA512
448d303b038fe2c768eb57e4f0d8296b7da38b8c2b187876723ce96e1dad710a4dd5c29a118d1baebe7900f80a07295157c63ee1c5e2613e741f28bbb873d83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
0fed5de1fc588c4f0afb137d6c15417a

SHA1
7964d9b52bcd937b1e15355cbcf14943b0d8ee08

SHA256
cc4c183abe0a44861436ad959e1c2e0a947b5cc153628361e1c7c4daf59c442f

SHA512
3df992fdd064913da99f290aa05b981402a09d80fd983785b1819d361956a7bf7ca45c685b270f208c0a325b2be973e739a6e3b0a2e29c09558db81bb6e02d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d09b8f6bfa6e56c9202b0b5ae91cb7f

SHA1
27e9111249372e644b77188cd2aebfce45be2c28

SHA256
8d85f7bee19f81fc88facdba8f2f5979d72d5651be97ce101e2aba0c457528d2

SHA512
63adecad43482302fcb147add69ccf5ab0251594151c292e17e574f9fd495c993531722f3c2226371b93371023521fe482eb2018032d47cbeb51b2ed058d1b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
8724c85c822ca25d17d9eb6e90de4f83

SHA1
6db52c0840136b326495db4a83bbc3cf3c9bf3e0

SHA256
04e285fc4f2aca9c982a87730b71ac75b6726edbbd607a8f5f7cf72b7b9441cf

SHA512
df1050b9be37726e6d95a32af2f3f5975ed11fb6ae21ce08fac9a11bc951c8b38f18de6bacb1f9c689a2694089ed59ee2db57193bf203faea391b5dcea43b93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8e216ef81ec9fa432b7e7a28a2bdc84

SHA1
b7fafefbba39fcc2e88fca97fee4e47ceeb044b5

SHA256
9c82491ac6661f8db8852ba064e2c9de016aababc8953683a0d73acea3150f37

SHA512
6ebd631031f10a12c7d59459da095ba783382dac61757895f86ace7bc79cc2b232ca959bf6ac2dea193336084647d25555f72f4439f4aaa2c362fdc6bdf397e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6514b613b5c630f8a17af142376754fc

SHA1
112bc960f024621aa753e25960fc6bd96e39eef3

SHA256
79bce823b2f5018d0e3fc0be2480f932e76e147263940b949a8415c9db432b90

SHA512
91a935fadde16a01d743326771ff71398db79e4a8d824dce27067e29d1de839e8aa30145173dcb2007821abdc147790ec94f52b92e3fee6d503f40f98fedcefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
90cc75707c7f427e9bbc8e0553500b46

SHA1
9034bdd7e7259406811ec8b5b7ce77317b6a2b7e

SHA256
f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb

SHA512
7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
931b19c22253dcfe30f857f91ee82dde

SHA1
6f678be94fd2f87c06b65b3004557833aedddc67

SHA256
6b18fdc7be76ebdab0b6368aa0cb6c7e9384f598bbd999237e470dc80470d416

SHA512
6cc75fae562dc84143154f782d0eb0fa4d3628fbb541f4b5a2ae2edf0168aa111b809eba4acdbdab943ecdd182c36b955cff08d00d8989809f6063b0449abb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
279B

MD5
ff0c4b118b77eff9835b0a28a3f07d55

SHA1
8581126a5fe437e03f67153fa0e92232c9aec8bc

SHA256
4e4381ca8bb67490f24b87a05776228b4f1c6440305c4160936f36c02ed77138

SHA512
14c9a02791f652fb15c5d2c1b6cabeb731a735cdc936fd67acc35d948a50497189cdd01169a521ca0da174f5f4aa59ce0a2b3f4f95e0395d0ec7f00fc82c8ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376252705374402

Filesize
1KB

MD5
376b2010b6cc0013f23308328b8ac1d0

SHA1
7ed85f78a3b62bf429ddc72f0ef8f56fde276f18

SHA256
cecf6e1628bc90ed6e81eae0d61170610a709138bd96204f9224a7536e0b8737

SHA512
7df7b4c33c9a6acb3ae3ee4b67f10257c239efcde95e408758b45f21cb7abfb6da3b7cb4b6b4b8bbf759bc59b63f275e5697c60a4d0e629e942d1a200cff7b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
d03fa844023f92dfc16d061a4cd4cb5d

SHA1
0052ffa8995c01f445571ebefca67302674841c3

SHA256
52ef2433489cfea041145b67f0730d6d7bb6b0f3c74fa23a3a2239155915358b

SHA512
b8889e9a5d7fd7f699634ff45dd6b27488ad11b32252193b6fa99e455fa2172c92fadc655a21c4d6f029a2040a8f47577bf6405c740a7bf7f40fa0f5b762ef82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
1386359dcb089990d5798e6d8679ccd3

SHA1
3256c15df85c1b1acae9b1672040ddbde8250211

SHA256
255abf33407290ba0553607b7a8bd250aada36f4d6f9c7a277f1ad4108d9f7de

SHA512
70b36c1a3f4b15ce1ff5ba38bc7af4e44b6fff415a95a32c3df30c5bfc34679afe713db095c46306b9814e3ffe438551145e5462cf4f32b51984f8e84e751347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
bdbba88ea93ecbbe56d80314b51c8ae4

SHA1
999d8b3b612fccca209deb8d49835174565315a7

SHA256
9b30382d35f5e5331a6f028dcebf2c1503fb8b29bb39c0e0ebc35065bbc12896

SHA512
697ed33644498775d3361af5430adbd96837010dafc5f941a782e21d9f66e34583513a967ce71923e918de5174b1cfe4cd1481f4114e077024f435564ba1ec95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
c86fcd9d723b845ddf02aea0c79bbc0e

SHA1
48dd1847f10e6c5d62a6ae4480d6ffebe60237ae

SHA256
2f4fd2533a50f68922f7151d2054883738e32fe2176171df43113ff5d1697df5

SHA512
a39da485b9c193fa6393424d8108683e847de7f4291e6dd04378037bf2427d1d1691e876a4f488414e99d3a2251c4c4f1625d62f4a0680d36abd0aa9e00f3e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
160B

MD5
2e19a9040ed4a0c3ed82996607736b8f

SHA1
5a78ac2b74f385a12b019c420a681fd13e7b6013

SHA256
2eeb6d38d7aad1dc32e24d3ffd6438698c16a13efd1463d281c46b8af861a8ce

SHA512
86669994386b800888d4e3acb28ab36296594803824d78e095eb0c79642224f24aca5d2892596ac33b7a01b857367ed3a5e2c2fb3405f69a64eb8bf52c26753f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
5498580a3dde87150e11ab0cf75264f2

SHA1
65974819892bdfcb89e0c243364f63592ad0c35a

SHA256
96c1f0f5b376d2ecbf5a6e84bf0d8dee1e59c135da84629cb887fe46a908e784

SHA512
97631e4672caac9550c3ad8fccd62a5f667cac5cea1238f0494bad01ec3cb903db71f591ce840345bc66f2cdd7760f0f6e1c683d52cfb8a440519670ef352656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8d48b052463faa784e07832357577d45

SHA1
976b8aa966c972cc21d841dc489d5835d2531424

SHA256
668e5b0a8b05e016f992039eaa4847712bd6ede913ff2182bf9f8dbdec476ea3

SHA512
e1f83d1be6e4e1b4520571e22fe99afea0462cdde745c511231092cd18a731850f34619522d2f2cd3e3959a3d6b643809677a2467d41ae3d482830241a974572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bcbcbce286e568e005d3890923b9e653

SHA1
1ea55cc9ea4a17a42e17c1c58c082b625551224d

SHA256
da3e5a53f296e318e9df9439a221fa1c619d128714d655162678c28e9ca8c15b

SHA512
395ca74bbda22a03b62b7b80b08df7f77fc563a827b989d00d62d40761e86a38bf752e73a3cd1174e883b206c5e28b074c50396f6031ca86902e501c5cef5812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
ed5da64f9b38f1562b50e522cfd27c81

SHA1
c50ffe0302beb18984fa2ea70cb9f68604b0f270

SHA256
b1000bd8ee97ba3248b1562df4b8bcf98828a7286eea84c3419565968ce5622f

SHA512
04de0659bee112de14464c957e88252f7271e6e47483f6b74ad36362d3c8309b1f2527fc2c5909de1ac58f6330a848cb9a960da14ed5415f6682f64508fc7e41

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\cache2\entries\4E33C2090819C3120498C4900B491A4CC55EBCEE

Filesize
135KB

MD5
88c713277f989ad5f95f0667735173bd

SHA1
04a5c5185289938c22f7bb03e27839ab60870f08

SHA256
6f82b249d64e2fc4c1653190c1b92115f8b0528abf267f19e350dd20bfc5d5dd

SHA512
18406facaadd2df473923ffbe63a39d00af0e2ec3df447a2176f183bf02f7f57dca9a2f2eb3e5993c7582c8b6d914b2f7cf2d49e148e39dfa847202eb1ee55f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\cache2\entries\AE6C91A7A94F8219B78F6FB4AEBCFA5DD3A78D91

Filesize
49KB

MD5
e085f78075498c3e5403fd39598f0a59

SHA1
8c1a0e0a303dbc24e8979162616b75331e96efc8

SHA256
1321d094d24668d68518eb574e0a96cad28d941ad360627741f63890916fc87a

SHA512
c60bb9e9f3b0cae9ac2c285c8ad73d574e3344749fe0dbd92e32727913b8a839ff7674abbaecbfa5485166cce48146c8e5a60d70aff8782134fdf1c2dc9de630

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3A4.tmp

Filesize
1KB

MD5
3784ea28751aab32e9db1f311de61048

SHA1
cc475edda2e79f46ae42dfe365cd7c3e8389b31f

SHA256
3942f9a646a83a23a20213ab79be231c7ff0b7541745d7a2ef0d586911ad2c63

SHA512
b2d556b2f6347f1582014e15ccf8061c8fbc3cede5db8af0c48c111025d2cf2bbb7bddccee684182915d6f5690d156875b18c946dfdbdd67067c463f61d941eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF9.tmp

Filesize
1KB

MD5
26876bceb0b06f1468d7ede2e5556662

SHA1
c86c21cc0a6e469f5b45ca33abe0440ac8efa40d

SHA256
f003127879ebab8f8b3b2d6b76a096fb38af7c2a33d6a0a7aab7b805c50fbcee

SHA512
50d341237d16fdc02af48ab7aa99b6d2da3c779b96dc98447190ee59e51ab77abe3eed0767dfacccd0562f05cdbdf872cac36d83368c19508430998358d3a499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC19C.tmp

Filesize
1KB

MD5
2c8df1337ea1a15d86e5662086d14f44

SHA1
31af754fa64fdb2c925207d4fc8d86a1d6278b2d

SHA256
99c49c932bac5614fb5fa2330fb666b1494928c18e7cfb8dfa4a78a81fbd3587

SHA512
5ac09f0f37214c22f94542dd6235412d8634ac8e6a9ddd0a25b4a1cf187652791bfd18008fde0047c0823f7427e955f1d1964cab66c3852f72c479e870200383

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbd4ltdh\gbd4ltdh.exe

Filesize
3KB

MD5
7e1e2d85e19d468864197b03d082b7d5

SHA1
50bc90b96499c31a388bb7624f008c47a5b88821

SHA256
a59681a14140873886cd69e03c20e499b97a47ad0a92ffcbf031137a1e9f4113

SHA512
846f59c2c3510d81f37fc9bd8a4531c3e2e09419ea91572453bc597bf281845171b3131940f576384d280dfb739b955c677951cb0e777aa4786884fbe5c5197b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbzfwryy\jbzfwryy.exe

Filesize
4KB

MD5
2b2a18d5e4642e0f1207dfc96dcddf34

SHA1
9c6fca5656e3b068e7189a3d11e4b5530ef72b51

SHA256
0e50e067fb2b3d52ad8e26bbdb73590f0ab49233de1d1516978ee805bbc6ec1c

SHA512
68ff4e3b1ab36a3a6ea45b8bad01b97559be87d5fb2ef7530e6648809da485c354c57a6f90a3d0a8c6453a3f8457cca0d57e1e67344aea15e35353cec4175414

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfbm3dxt\mfbm3dxt.exe

Filesize
3KB

MD5
a6c4447d9111bca5897e303769715509

SHA1
7bff47acf6a1528113402482a8d83d0f49e1dd54

SHA256
4bb408d6ed8377623c56578bb2f937b442ce3925420af8b7840bfbcbab9d5c33

SHA512
d6c1f9341552370f70f5d2bb38ee112d00b2ad8a86f7ad98c3d4b284ec44ad1e7dedad62ed0cd41d7686effec46952cea4dd728242b6f6454a6d5934aee9f78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31A0.tmp.png

Filesize
1.5MB

MD5
24cbd383fccf8ee8764c297d94b5078c

SHA1
dc61f5653b098250133b9a281b4630abf226bdb2

SHA256
247b94297f36837a905c4f628ffeb219dece7bd442446e4a2a44c9a88ed4f546

SHA512
be6c9ec813de9cfd0557d9a959759cbba4c2f659cec2498f2a2ec370319018dd522554b677b75ebecf035a7be1e0d559d68c0de50f5a36d28cf4df42644feebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5CSE41LH706WMG0ZSGOB.temp

Filesize
13KB

MD5
289c483093ccd3f9bca1b87d51aacce7

SHA1
74bb63f1590adb992cfcb83658adb03d56347d71

SHA256
60c77976fbc9959915f4598045b172754d4886d60a5d76ed6e03c86175a7a9f4

SHA512
7ef387dd169bb110c46547b8e88dd16ede05a41e696b077872de04360c641933947e23209681cf498fac54bc5e55f8940069c8c7a4762f4dcf8a97199c2944c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin

Filesize
10KB

MD5
17aae7fc50f0d9d7166edc3c24aa8d8f

SHA1
9903dc9cbade53c393b190fa223445cb5b454417

SHA256
0457d585c5c26b7ab6bba583acc02223d76c38fb16377ac0fe2bb675e6be7ee3

SHA512
783a3725e9dc8968e6bc0f43dd915f65bed7bb87b567c186af0d15eedb5c904b2f20caabb4b9e74cbd3fbb2f45d1342c04062211002367a6c90422ead89bf467

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin

Filesize
7KB

MD5
24537b23ec73fd23a67112603f8415bc

SHA1
2a6f4e241b51344634f30084a08e948a4b89ea50

SHA256
6b403112c090f3dcdfb60996955b2c5fc542e4ca955774ecec3ae83df0a181d3

SHA512
7d1434af3e432d2091251e03322b7976216173811acbae967c99f4788ad10f537be4afc6bcc7fada102834842ca17c4a3586d1b2fa09cb7d4ca496d3552124aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\SiteSecurityServiceState.bin

Filesize
5KB

MD5
04f6b3eb9f1ea4d200b8cddfa97f5c99

SHA1
1e8c951fe17b7123b16500a561d46fe16a9eb93d

SHA256
74d9077daabf7b8a4c487dc64043dd9b47ab4437487cd9d2b4c64695da0a2674

SHA512
0fb7615c9825d0b873deab3ee4002a975f23752f952daf584a539737b804526f637f252d37b8a58503c0cf44410226e9ba4988f452ab32b7c3c4f235b1a5d0b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\SiteSecurityServiceState.bin

Filesize
7KB

MD5
cd035ea23c58176de27d359246a96e99

SHA1
11313b6e50634dce4c9d0af1c27c26d66d8664f0

SHA256
ca6db4fc50c63e006dc84f63022dcbb9ca0d4ba189126d6b8a20b3d09a3ca153

SHA512
0277f3f95c13f7d57fe90d2d3e982b087f4c51bd7b2b5c4ca6197b47c8f2506fecb39e506720ff7b7a7c7789b29d4a44b22bd50520f5ab233b35d0fc9da418fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a5e65fb15a9b7b11ecafc1848dd8f225

SHA1
d620847b4fa31c8bb41b4b91730db940788e584b

SHA256
8785f60a386b5215d0476ab0673d3e7ae20109813cc1c3e9adbf1a5522f04cee

SHA512
adf6419bce81f4356ea380641cebbeb7bfd0579bb4953056eb095bcd1c4ec12bffeae63b43b94c714aab16cae608cc1a615f12e376511a7cb177a01f430fe1d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
c43562559674cd2581893bcf25231864

SHA1
ebc4a3b86558c62d1d814193d0742d5a62be2bb0

SHA256
e3690d74aabc330cf2849b3cc2ce4dad32c6708d9a5d1dd1fc23f7cca6e1f248

SHA512
3bdac5e8e7fd60a0c3a0e95f8a73b4544beaeead6b053de63697514c032fdb0a8deaa4f80c025965f14fcfbec2e521ce98a87e154bd2780e5ecadbf9eb3260f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
064d8d453dc0a59e8a9711db5cd57d4a

SHA1
60e7006f1a6512e787aa7da7e0bfca20a3f345d3

SHA256
27a6cba0cbe58b5570cb8466f6972cd35e02880bdb97c3a0396f182a783f8df9

SHA512
2b37a48611fdd61a71f0593cfc6dd5f71184d2a3349248eae5e5d9339c390b227d3c5b285b4748cd12b69eb39b87e21dab8566e1b0fec593ded56d29f45d5c29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
79KB

MD5
e675ba1db3b819af1691ce7ce380b3bc

SHA1
849fdc6321542c4b250357a99a8e8fe41da19b44

SHA256
8001dcbe8a4a9331d888a9c7e50bdb6caae0951d86a30596570857a91f854ba7

SHA512
a5412af6f4d0b298b67bb58821d47f805ade1fea4509d8e41b48c9bcb78230eb1a7aad373b862e714b43124bbfa365891f6b8b90655b11697439bc4ccc32fd71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\441d891c-d3db-4ec1-a666-f629bce31dfc

Filesize
26KB

MD5
ea508d7ad108484ea01d46e81c08a55b

SHA1
4c2d48b0e38c326769ada0e2dbd1657538fb534e

SHA256
c2ad79fdfd12b3310526bc79ff8f56749e08391cccecbcfdf1194a31b712a7b9

SHA512
6130590a744e89e73c97918528f94ba78f0398f1e354bb7014dd544df5b76366e9d69fea0fde1132c0f36986a1b789ff81c6e2d68d011341e5f997c208e652ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\73c2d5e8-9ce7-4a97-9a73-02fa61930d08

Filesize
982B

MD5
d83b901354b49f14c56375020a1f37bb

SHA1
764e2031aec04c50699daf521c427da020c67de8

SHA256
bd6e973c7a148b759023d5a733f59878c27d351d1a7662f3ae7bf39f00406801

SHA512
a23693b677ff493c33c3722ad4f41e2954e4d1e35db7611d7ef50c86b9cb74ee63a9d83b77e8d25570cebe14721b11c2862eaa4325e37754fe3da6ab1827c75a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\7d92b107-83ae-43a0-bd60-9f1af8e9304a

Filesize
671B

MD5
1ea6cab59a299dd107a3bf92d4c8f0c9

SHA1
e1fa971def66be441b58a7e2697ee19d2fbfed3c

SHA256
8fc81f0538a25d4a543ad226e9bc7f29294057966974fd037e6ee6642b6b09d3

SHA512
4c0ddb849da96f0990351652fdb64741f509a8d744242df28e77c6fdb3270f5907807b391a1fed3a096797e9506d1e8ce04178ca130460fc8798370cbdd321b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js

Filesize
11KB

MD5
1cee324a3b7d3a97910bd995460772f3

SHA1
4e3e77df149bd7a9fc30d3cbacb66ec6e00437b3

SHA256
5dbd1b27acff567299539d98d141da573c288928f8c39bcf5d3376ed8e461211

SHA512
03973169a6b8ab71bf3a60df46b651e47b61089b4ecc991e6ec12244759891573c9cdae16dc52def13b3c787bc011ca5747dd2681ad492c41e776c473df80e31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js

Filesize
11KB

MD5
fa68ff0b34eb36ab4687f71f82821910

SHA1
a1d1c248238333098a126b85d0d8aeb0a3e48d88

SHA256
7c4828694304dab8d680a060376a4601abf734bba176167f04b3617b5c168819

SHA512
3c2dbc399c18baabb3a619110d0df38dd2cf31824f2abe42ebfdc7479f5c96423a694c89e42bbf2bebf54aafe3c1ba7d4b283aa64a0575c4ab8330a3320372ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

Filesize
10KB

MD5
f1f9e2d9b8a1cb84b49458d05621d0e5

SHA1
7d15ea87f33cc2b27c5ec27185e285492a271503

SHA256
5babca1d77151066e9a049ec63a947379f66e020335265157febea05cb203ea6

SHA512
d8cc0d61e90a9e253cae2c9c66afbebbea0e994edff528e6315a871860eda7902ada36d7b420d1cc7bc62f56523cc6d5b4ec1d6897ae54408d0e93842e2aa880

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

Filesize
11KB

MD5
c2e9f3c742240d96137adda167ad5285

SHA1
2b8ed27562287e541ebe0066dce378eb2d03163c

SHA256
6e4df7652607f67f8a03c3e61470ce77d67189a5d80e9b95dfb5d2cd6725437d

SHA512
8cd6ec8f66506d0be5b3a33b406d1c09796d73a6442eb495152a105ede83eac5f25cef1e9960b60bdd757b240747b9192bf3f3d8ccc18912fdfeab30fa0bd7a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
748b47a2e2ec86f045ec8aed5ea9b1bd

SHA1
03e88540fc4e7fe89eaff0170163c05f5799bc4c

SHA256
5e2782f445b15545b53a04a115abc43a09e2b3dccbdbde37b196da81aa82fce1

SHA512
d8fdbb46738c8a6cfca856da8bb17639b6d16e339271d7268052222878921aa95092b09ae3f7728fd01848589f994cd330c1d43ef5362f7ac8b0e3bfe11b8e6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
ee3fac2f7c457cb32c2ec7f6e57169e8

SHA1
7c79d322a6cc6ed2cfb78b82d128119bd19466d3

SHA256
00e41036a599da57370edb1539e00b185c5ec7442797f8d356c1a6df9d715c5e

SHA512
02ebc7ec813332f22052a36c8741542242f41ea17edb0a59c2b8ce0fd22b5e6e48a3345478cef678ac3f34e5facd7d6d78eddd0e1c23fb4041c1e88d556db4bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
0bfa900ca1e0feae186f042e894fde24

SHA1
774f24c2014baf7208adc5d255654ec10d4ddce1

SHA256
f324944641e0d3a7573e63380dee4d20c4e3e61c4c71725d7aab26c0c7a09304

SHA512
2607a45352768e2f660174b86471d20783badbd4143d2d5df50302ee4f8c33451556223b2ad6424d4f8d260d3cb32ba92a3704e8712f90c8368b05e955186478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
ce68563d1f84825e0191fb937331ab45

SHA1
1021ceb7871653d1a2ff0f70869b2fb6df6682c8

SHA256
eb62794553b91c49d91206056b4de466ac57f5fd0ea20b82dfd5cc152ff6f153

SHA512
125f29dd9a3a055ea66e93f76ec021519c6c9744ea02dc00c89583b7e0b6c69134210f3af769c152cc21f9abd5b2fa7cd927fcf29afed47feebeeb90d85e2a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\storage\default\https+++www.roblox.com\idb\3140325527hBbDa.sqlite

Filesize
48KB

MD5
70e12f8a58a224044075eb92313bfc95

SHA1
bd63624ea87e3fbd708cc6e415ac4c5c2b650971

SHA256
c1e7cf9c0b5b4ed78534211dbbb936d798930ecf731b781e5772272694a370bb

SHA512
1f58a360a3abd3606ced72c9c59a20880d2fc3bda0f1d2e9ef9884a77f29ad3a43b654e8a14d1a8ffa9008de775676a2d7560c8a14e794db5344a103388f34e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\storage\default\https+++www.roblox.com\ls\usage

Filesize
12B

MD5
7be84efe3ec27130914d06f418d816ea

SHA1
06d4b2aefcabca5f9d5623799f7a3162ebdbe122

SHA256
b868f25a412a10e7e701cff2a3b432b9d5934505bb71e996c00f7774ef673df7

SHA512
3ecf0f26debc3298f16721ca1f85b7cf9f2657b996646af87a37227ab85eb69bef2ecaa46cde048d295bab7448f34410ab50de6176ee76a5708b7056bb72e4ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbd4ltdh\CSC1199E9804EBA44D0ABF8B35FFD9C4EE.TMP

Filesize
1KB

MD5
b82af16b4ab52a7ac2f2f1e69f71f6de

SHA1
485140495b6151fff6afde4567255a38d9d34f84

SHA256
b2afaa6ace207d3bb57c80025d067e829bcf87cd6a1687e459c1929c02c5e55e

SHA512
176c609416630089018a1c8c98d6174b85b72bb1cb6384f5c5b4fbd2046b415c594a5e126fbd931f0f5279c8002ba9c4dcf1aabedd3f4e219af2480a46136dd1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbd4ltdh\gbd4ltdh.0.cs

Filesize
300B

MD5
a85fa53c112b4e364fa6b963a545325d

SHA1
27543fe26aa3344a677f03d5d892a543f3a7a7a0

SHA256
9048696e1de76c06e31a701b2b5f9a32361c34fb63ab1cca8574330d8152c121

SHA512
7aa25cff8c813440b7dfe1146cbe7a1213bedda48ddb819ae506616c8d97a8377dcd7fbad4b67dfd1bf5f130ba622beb7b2a546ccd18288705806b483fa4282c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gbd4ltdh\gbd4ltdh.cmdline

Filesize
334B

MD5
0567e2cafe65ca86922e74a1d6aaca1b

SHA1
86840bef1df94ee4efccd5d730ffb13314655111

SHA256
975a242cb7b21e83803e8e7eac6d0b024d02b26203af4d451ea77c67bef4f65a

SHA512
685e187db8ef77029bc23a23755fc68f71fee4715781f88ac2c647cceb2fe963e58bfe916d92e86bde2345163a01882d4c5c5ecbc731aaa8db85157befe813ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbzfwryy\CSC4DABBFCF53D0425C86C6D6F6AC3E543.TMP

Filesize
1KB

MD5
d0b3369f6f693217a5c0486954819254

SHA1
95330922a5e6352546af8b128671732ef2220256

SHA256
3039e7831ee67596178b81e2d9beffbe0a192b0ad16fe4abb5a073c3c017bf08

SHA512
c3db252499461c5e56ce8cb1290e90ba3c29fc1830b7fc0609ca4ae5adc222fb6d6fb0779eb3336e29bb8cc4791100e129686de453036a12d84b2c13eefc1988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbzfwryy\jbzfwryy.0.cs

Filesize
487B

MD5
b4b09cc12cd686a5ee0a1844640a50c5

SHA1
12bb91490495d74685836a48367da7217ad6df75

SHA256
91693b12c042ebd4bb9f24453cc85e666b4c80f15fb5a58ff94697a86136ee6f

SHA512
1387440eeac8610a3b3a6b134069039a00002107f625f3279f04cc14c187ac1f8c78d30f7b4c949bbeaa8e423bd6934df954e4b6679c84d97240cfe8dde8ab28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbzfwryy\jbzfwryy.cmdline

Filesize
334B

MD5
6fa13622f602adfdc8d70defb60102af

SHA1
6e80ef5cab8379fc94eb1062f59819ef3a96458a

SHA256
d282d80e3477f3faa532c561d5e2881b6acec3f8df04928193f8ac5b9cb9dcc1

SHA512
313d2576d1c43970456c4d4847d57c3e005dbe2f7c91f855ab351e2a2862a322471268e4b768a41911532a9d692b3cc643634aedc200c0ad65e5c7d888743381

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mfbm3dxt\CSC342FFC8A5AC84B53A39E706489A8176E.TMP

Filesize
1KB

MD5
f5046df035e2a8190070f05c5fe17080

SHA1
77a9065c9061d61185e69039ccce782daf7a3c62

SHA256
d2ae6fdd7a215f6783c9f78018b73172bf0d056497a4e3105046fd46acc36459

SHA512
4f9cb088a557c5c847e6d44ed41045da7c419eed7e7788dbda0f985c0811b8427b34afee596c672e2fea583f2c7c9ef2a1581b0ba1ca00390c00bade7b856847

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mfbm3dxt\mfbm3dxt.cmdline

Filesize
334B

MD5
5149c1dc6615b1f589698b108b2cf846

SHA1
e3451a8c11a7f360ea6ca95f28ac759d98caa46c

SHA256
13ec17744f7339f38b386294964503ee3333cc069e4ee190318de16a220d1149

SHA512
c0a7ca5a7a4a588fe6974100472811eb27eee309088d975240030423a9f5f99c1aebddfd58105baed1d05db52708b880d3bef149a661af996bbedd18c3dc31f8

Download Submit
\??\pipe\LOCAL\crashpad_2144_ZVLNAJJNAJGBRYGI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1700-2516-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2515-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2517-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2518-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2514-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2513-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2506-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2507-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2508-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/1700-2512-0x00000224FAD30000-0x00000224FAD31000-memory.dmp

Filesize
4KB

Download
memory/3524-275-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/3524-2443-0x000000000B250000-0x000000000B2C8000-memory.dmp

Filesize
480KB

Download
memory/3524-12-0x0000000007050000-0x000000000706E000-memory.dmp

Filesize
120KB

Download
memory/3524-11-0x0000000006F20000-0x0000000006F88000-memory.dmp

Filesize
416KB

Download
memory/3524-10-0x0000000006FA0000-0x0000000007016000-memory.dmp

Filesize
472KB

Download
memory/3524-9-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/3524-8-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3524-7-0x00000000063B0000-0x0000000006956000-memory.dmp

Filesize
5.6MB

Download
memory/3524-6-0x0000000005D60000-0x0000000005DFC000-memory.dmp

Filesize
624KB

Download
memory/3524-3-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3524-2253-0x0000000008590000-0x00000000085F2000-memory.dmp

Filesize
392KB

Download
memory/3524-2254-0x0000000008670000-0x000000000867A000-memory.dmp

Filesize
40KB

Download
memory/3524-14-0x0000000006AA0000-0x0000000006B04000-memory.dmp

Filesize
400KB

Download
memory/3524-271-0x00000000077D0000-0x000000000786C000-memory.dmp

Filesize
624KB

Download
memory/3524-2-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/3524-2429-0x0000000008100000-0x0000000008160000-memory.dmp

Filesize
384KB

Download
memory/3524-2440-0x0000000008F30000-0x0000000008F94000-memory.dmp

Filesize
400KB

Download
memory/3524-2441-0x000000000B110000-0x000000000B174000-memory.dmp

Filesize
400KB

Download
memory/3524-2442-0x000000000B3E0000-0x000000000B442000-memory.dmp

Filesize
392KB

Download
memory/3524-13-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/3524-1-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/3524-1963-0x0000000007D70000-0x0000000007E02000-memory.dmp

Filesize
584KB

Download
memory/3524-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3524-1994-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/3524-2013-0x0000000006030000-0x0000000006038000-memory.dmp

Filesize
32KB

Download
memory/3524-2503-0x000000000B520000-0x000000000B584000-memory.dmp

Filesize
400KB

Download
memory/3524-2504-0x000000000B740000-0x000000000B7A2000-memory.dmp

Filesize
392KB

Download
memory/3524-2505-0x000000000C920000-0x000000000CA26000-memory.dmp

Filesize
1.0MB

Download
memory/3524-272-0x0000000006F00000-0x0000000006F08000-memory.dmp

Filesize
32KB

Download
memory/3524-273-0x0000000006F10000-0x0000000006F18000-memory.dmp

Filesize
32KB

Download
memory/3524-274-0x0000000007880000-0x00000000078C0000-memory.dmp

Filesize
256KB

Download
memory/3524-2068-0x0000000007C00000-0x0000000007C68000-memory.dmp

Filesize
416KB

Download
memory/3524-2060-0x0000000008510000-0x0000000008574000-memory.dmp

Filesize
400KB

Download
memory/3524-2049-0x0000000007D40000-0x0000000007D48000-memory.dmp

Filesize
32KB

Download
memory/5840-2497-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/5840-2496-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/5840-2490-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/5840-2483-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download