nanocore | hxxps://file[.]kiwi/bfb4f853#vMAGRg5cF5TUCP7j-tdeZw

Analysis

max time kernel
149s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/01/2025, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://file.kiwi/bfb4f853#vMAGRg5cF5TUCP7j-tdeZw

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Loads dropped DLL 1 IoCs

pid	Process
3872	msedge.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Manager = "C:\\Program Files (x86)\\TCP Manager\\tcpmgr.exe"	Microsoft Crash Handler.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Manager\tcpmgr.exe	Microsoft Crash Handler.exe
File created	C:\Program Files (x86)\TCP Manager\tcpmgr.exe\:SmartScreen:$DATA	Microsoft Crash Handler.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\nl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\ta\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1424867650\edge_autofill_global_block_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_731440020\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-la.hyb	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\iw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\en_GB\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\page_embed_script.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_240225285\ct_config.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-gl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-sv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-en-us.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-hy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-nn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-ru.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1527532024\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_2083979619\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\el\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_731440020\office_endpoints_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-af.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-te.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-bg.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-en-gb.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-et.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-mr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\bn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1763424055\safety_tips.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_240225285\kp_pinslist.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-nl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\sw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\si\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-da.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-lt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-de-1996.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-sl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\az\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-hi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1527532024\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\tr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\te\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-ka.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_1796483092\_locales\lt\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Crash Handler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133803411995751228"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1411052346-3904498293-150013998-1000\{2747D048-562E-4B50-93B2-BB0C19BF759F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Manager\tcpmgr.exe\:SmartScreen:$DATA	Microsoft Crash Handler.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3496	schtasks.exe
1184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
2620	Microsoft Crash Handler.exe
3872	msedge.exe
3872	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	Microsoft Crash Handler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	Microsoft Crash Handler.exe
Token: SeDebugPrivilege	3544	firefox.exe
Token: SeDebugPrivilege	3544	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe
3544	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3544	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3496	2620	Microsoft Crash Handler.exe	111
PID 2620 wrote to memory of 3496	2620	Microsoft Crash Handler.exe	111
PID 2620 wrote to memory of 3496	2620	Microsoft Crash Handler.exe	111
PID 2620 wrote to memory of 1184	2620	Microsoft Crash Handler.exe	113
PID 2620 wrote to memory of 1184	2620	Microsoft Crash Handler.exe	113
PID 2620 wrote to memory of 1184	2620	Microsoft Crash Handler.exe	113
PID 3872 wrote to memory of 3704	3872	msedge.exe	118
PID 3872 wrote to memory of 3704	3872	msedge.exe	118
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 380	3872	msedge.exe	119
PID 3872 wrote to memory of 2084	3872	msedge.exe	120
PID 3872 wrote to memory of 2084	3872	msedge.exe	120
PID 3872 wrote to memory of 1772	3872	msedge.exe	121
PID 3872 wrote to memory of 1772	3872	msedge.exe	121
PID 3872 wrote to memory of 1772	3872	msedge.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.kiwi/bfb4f853#vMAGRg5cF5TUCP7j-tdeZw
1⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5416,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:1
1⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=5524,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=1308,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
1⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations=is-enterprise-managed=no --field-trial-handle=3208,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:8
1⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --string-annotations=is-enterprise-managed=no --field-trial-handle=6624,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8
1⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --string-annotations=is-enterprise-managed=no --field-trial-handle=6796,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=6812 /prefetch:8
1⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=6828,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=6508 /prefetch:1
1⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=7204,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=7240 /prefetch:8
1⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --string-annotations=is-enterprise-managed=no --field-trial-handle=7224,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=7372 /prefetch:8
1⤵
PID:1292

C:\Users\Admin\Downloads\Microsoft Crash Handler.exe
"C:\Users\Admin\Downloads\Microsoft Crash Handler.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "TCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAFC3.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3496
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "TCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB0ED.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations=is-enterprise-managed=no --field-trial-handle=5356,i,2725994768946232574,6120507490560741562,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8
1⤵
PID:476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.109 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.86 --initial-client-data=0x260,0x264,0x268,0x25c,0x2f8,0x7ffddb226070,0x7ffddb22607c,0x7ffddb226088
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2116,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1932,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=1408,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4428,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4428,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4504,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4588,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4784,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4412,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=136,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4924,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4568,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5012,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5040,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5144,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5008,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5252,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5128,i,4310372497923357621,6724590900449517453,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.86\elevation_service.exe"
1⤵
PID:1084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1244
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1876 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea9e834c-ec69-468c-a0e0-e3a22bb7dd21} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" gpu
    3⤵
    PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {313208b7-61bb-44c7-8404-338cb246082b} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" socket
    3⤵
    PID:476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3448 -prefMapHandle 3400 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da34b5f2-2202-4a15-bee0-80043b0616d2} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab
    3⤵
    PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -childID 2 -isForBrowser -prefsHandle 4020 -prefMapHandle 4004 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34886d1c-c6d2-4a29-b7b2-75269c683047} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab
    3⤵
    PID:5188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4816 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a785144e-9f08-46c3-942f-5c126816392e} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" utility
    3⤵
    - Checks processor information in registry
    PID:6028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {895d4cf4-68ff-4aab-9ffe-9618180e08fa} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5352 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2535d1f7-0819-43fe-8e54-93dc63333e16} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab
    3⤵
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5652 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c925af5a-a5eb-410b-8624-d110eeded00e} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab
    3⤵
    PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ea4a161a24a8ccac1308dc874ceb0609

SHA1
82cb3a0aaab828e14c09ec10993582c8a5e84a1a

SHA256
de327a22f066d00d3b3de21aa8da4351698d3d10ec6481d7d6a80f523f3f61b9

SHA512
9dafb25f3066a87e39dcd02f9ed96bdfb0343b4c09197462001eff98360e2110458478a745bf20c0d5e35ff4526d3b907bc7587d9eba568af7cb2c2306efbafc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
410KB

MD5
56877e46c4d8f7e37d289129b5bc95c3

SHA1
7058a32cea5b4e9c6a7ac31f0a0df6a2da7f9be9

SHA256
debcc45f29fbf04e824778613fc3224c0e7b8a33f8d152f159d7ed7c24f3346b

SHA512
60937872737661d702cd042020f3baf9b6b241fe64d20bb3dc279575718e222440463b8da01bb4bc71052fbeb69e7567775a6670da4a5e127220d22d69a0358c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
3f31777544b5276996d074248608ff3d

SHA1
dda0e424f3272646fb7513c5f4c4d2adac090bf2

SHA256
7ba8715f00e5dd7075b62328cc02b1328b401e0b0b4c1cd1cf6f969dc638d548

SHA512
796f0c0e4d97b74e5654931e02b425fd84a99f7a2ef4b53aee3685e6c1be61efe11ae82312855e1db90cf93182fc7e9a80279e7c55f8c49ded8e0d85f85e7533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
5KB

MD5
f30fdf7be88512e178b6b49c422136b0

SHA1
76ee489b153c0aa09c0819e20b04d7667b5b9e12

SHA256
45030c4b3039b6791ec2e64e0710e7f74eb99ddd2fbba3a591cef2cf469f6108

SHA512
14c52099bf901a699a73497e8de90edb6cac4a43f3bbd9a2f575f61df1c28d5614163a52fb23f06ba2fcef0756c82fd21a73bf84cf6fbf3635c574a0539b0b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Domain Actions\3.0.0.8\domain_actions.dll

Filesize
577KB

MD5
bd277c53d8c706d242b55819b02d63ec

SHA1
82264a661243bf42fe73c7daf702fb3f85cc5dde

SHA256
5e98a68b1e82e5e47fcb232bbfd02f890813178ab22681b8b041bfefafcf8e07

SHA512
9b18454e408f326c309316b5bf77e599006b2237ed34cc8e4271d7e6f011f1ad37aa08da03732b8846e4c77fa7964077509b3e9f190817491582674524c66539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
69KB

MD5
e4e94dc85ed77c02d0fd546b65f051cc

SHA1
04d4193e9c51c501c9128e72987999fe7cf650d6

SHA256
419bf2c848d903be0fc63332efc728884b9c113af0b4b9dd455daa5ce3dd749e

SHA512
5c601206b73ec33c01e4e30706dcb41016d658cec74eaf6346c166e61b0f2fd249e4476dacdc6df98d05849d5c8a390cf04e34dadc0abd8b6e6cf1d22b2483f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
47KB

MD5
68a0b1b23affb2c42cadfeed7ccd8a32

SHA1
503ec096051a44fe83da47f966574caf1d9e69bd

SHA256
ca30aea500215f7fd26921fb731540f169a853d8dcf009c2460bbedf0efc1ed3

SHA512
f5af96ef1a1284e870be17c2018a48a38e1f726f9a4e96cd1a3d8d3caa9685854a2df2944535b26f0a8d0a8c49f4ee6de360faad4818486c1953f335a92fb8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
45KB

MD5
f4ab1ec3ce292ced4c73665fb5f58340

SHA1
74f0666beb47e448bca2282201cef69d8b473922

SHA256
b9857d4b6a66ebc75b75fb5cfe3a9b5d455b3ccbfdb1d3408836a2adc1a81aa6

SHA512
d89aefdc420890205be546f385b49a2070ce20db90ab5cbfa53d53015ccb550f363b98ed06b5d0139ba68e6523e2efe0750ed5a8c59198abd8bc3d414e893224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
75KB

MD5
aa7dd2b8963d8ddedc47e851f1230bdc

SHA1
b0b31362c6222254dd71248fbec1c0a59f01f5b5

SHA256
80a4463074bfecec408b9093fbf69504a319497ef331ee46b4cbc2be134c3667

SHA512
07d4a91ecff1ed15390d6014b989707a8107ab6eab1ece9790d73b7fc0e9d0b54436ae7c1690896b49e5c0cf5616dc8503af0122e1dbe7c9bc1218db5d9d085a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\igamsxea.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
0612df44cf68361557f7e610731c69cc

SHA1
97bb40753dc82ec4d060ee2825eb2aad8951b1e5

SHA256
8b89f428bc148565e71352ac1183f9a51735fd1c8cff10a8fe1bfd2966e2ac91

SHA512
b196357cc39b38b534b1f9acfb30908bf1f523f8dd9f3ebf573352c752be9bb31fa7ac5ca1d235cc1407cdea22dfc999ef6af0f463f4ef93f93665a49fce8641

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\igamsxea.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
24fb5dddded28f68763567c0b17f5827

SHA1
70d0f7ad217cea192b3f59061dc231d5ea906f50

SHA256
3febbd7b80122c7367cc6ddc13726e247089803dc7c0e4248ac3ef83a23cbd93

SHA512
84dc51aa53d36ceb6be9ec1b93d6f36ea3fc6cf7746f72b3a3f4d42c9ef4675778dfd8e43be973692476a7728726a4749dc910cc69b2016c24c25974fbecdea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3872_1307859491\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFC3.tmp

Filesize
1KB

MD5
89d9ee4cf29e9203d6b534859956ce0b

SHA1
a8baf78d0939b0f82f3f1831aa952885e1fc863f

SHA256
6a51a600c1d3386951331d2be6f7f66fff8c74b56509051d92192e26eab69f4f

SHA512
1662d3e88e1c8cc39edeec108fdc53b746d951711a40c295baa1641d5ce503c8f434b005f606b46d220840e19814809970357333a1a7c93c9d224338a70bb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0ED.tmp

Filesize
1KB

MD5
9ef09eeae52de0c7c7f111b945ba440c

SHA1
e5243c92416fd37f7b50c5ea741a97cd2ad9e85e

SHA256
8099de047cf1922f883b400d6a032d93e6f88ede5e4f7c12d81cbe66ed5627dc

SHA512
89f421d149cab49aa828f2bef79769152001dc8ca3fc65d79a824a9d9d1cfe1a38c3f9ee2f228b079f44cae6ff421a7672e059df13f855061e970b664513d6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\AlternateServices.bin

Filesize
7KB

MD5
349dbc830e03912bc55e7df094d6a4c5

SHA1
3ea84497d4f75e59b38e287af958bbdc7f275d18

SHA256
647cba67e0e17f7ababf1a17bb2a0d873934a226a46691239032d38eb8b30059

SHA512
178b8cac75ccc73c0bed4cc85a1e0506bc975038e1a00eb8a5eda28cb087811319fc3095379cd4426532382bb91c77b6f43f4edf2e9c45eb56bdc71cd31d042a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
6c911ba3866bddcd6cc58e126c041d61

SHA1
1ef396e3c92700e8fb490227ca45e1670ffea112

SHA256
a83e470fbd62849e8fa141cf907729bcfaf7fadbe4c4265414cefdc5f9d375fd

SHA512
5af54cff318b09d17fee886afe73223cc14a54f48af08af962d9113060b9e378e5ed95a2f35c794639e489b58aeca0292e781517bc5f1f407e38f10a91724cba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
3a20b0e46c46b8a6aee20ee940dbfb3c

SHA1
4dfbd3830dd6c0a71a032880a2f810e5ddb1bcb0

SHA256
a20a4b460d3779d95587612be7550de57a0a73555a2fd1a837d2d9b8a4d11255

SHA512
810977058a7656533a31ea886bd202244da87fa82b069ccaf163e317acfe22c48d1bda65901d002a9785c5ba0eeeb7805246917250560d86785e630c1a87dfe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
dd7a13ecbaef766ac3d2c3adf776d4b1

SHA1
6abe6a13870621ea4d19ac35a98bfdd8ce269f7f

SHA256
f854e64f939ecb6dce71f49934e024db13f602cd262df0686aa7a49e1d5de7f5

SHA512
50e7e0a010354462adc209e04d15aeae6bcb71070887a6e3fd5982c0e9c340697e970aaeb9d3edbc97b503643f35af01b26d26616475f2423ebc403dc23e3f10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
892b6388462dc5727a040f636335edfb

SHA1
16de1c9027e74dabe8b52b2ade9c20993a25d2d1

SHA256
20924b4722558deee27638d551057b39e6aa44d9918fef8799be31f9bf3c03ed

SHA512
ebaf5f392f14443b9c1f7c9fb32571b8c6b835f75bf4a3e7ce98191375a6ae4412ca2cd8291e4122bebe42b0e8b34fb934f1b9db90a8ae4174ec030e850cc3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
b38b301c151a02cde1efeedfbce541d3

SHA1
d5ce98cc00843e475f321a83e6f47013f8f767b4

SHA256
deee99a8515a35c07c18696978683ef5baadf82481776e97c3808201ace4e060

SHA512
f9d826acb49ac8b876e20273f4b64178b3764349120d090ece4fce318c1a9e69916d7c14e4de4ddab8558d1f6c738f2b01f9167f3a4e4f64cbc3bcc6bf026c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\8bb8a111-24d6-4980-bc72-2eb0bb449622

Filesize
659B

MD5
4f2d6b84ffe60bbc52d1d08b73c546bb

SHA1
eb0c5518b2d5e546196d9a3f02fcf3da3e5ffe03

SHA256
bf06203efce2a7eddeb7d2daadbe5adf33f4863dc738a988b266c0db04c4dc50

SHA512
fb80dd7c4a59be0732480de41e38eaa6626837039d6fff13c6878595ffedeccbc86dc41e546f4c2c79229ae19323594b46315c01fb20558f1f3fb8cc42e4bd45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\datareporting\glean\pending_pings\c0e44b75-d221-4f35-822f-4732252e7b6e

Filesize
982B

MD5
ace32fc8c7e8a74d7d3b688ce1aa7c5f

SHA1
591a578975edd07d2dc06403cd75bf9660cde084

SHA256
8e26c0da0dd5bbaa4f284157de01d1cd90f079c5ecebc8cf5d06e909afbb2191

SHA512
f52a1a5a5ad2eb9c40eb934c7b7c964bed60265a5571452953496f85b034f55c8e4f71f1818f300e64fd9efaf30767160bb109eed1c41f5ac6555105b3d9d3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
10KB

MD5
ce90e14047c1f33f0f50f38d2c4dacc4

SHA1
98be023ce989ae3e531ce158a899d7475d7c9c59

SHA256
1f122fd08ac6616a89bdf6d0d11b04a23ae3f8607184ae079834faf3bc5fc6ec

SHA512
451e019b9c646927bf2a748b61630a8491502a877b820fdcf04328625a34b5ae194bc2df880568794e9f9143ee23a9df8630902d669b9e08a37da0b53e41ed10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
11KB

MD5
b4f18167abb5ca92c7323077167c37f8

SHA1
59c6b3b7435eeefd2e0cfa12426868d46082532e

SHA256
ff248a95a205c01e7d8aed5ad49b71aab361354979c0133c36da18aa165961a7

SHA512
95164dba20d1986be0b0f991cd00ef989416ed52c73fb24cc5411a4c83bdd8918980b4f51865452150c200ca344b52ef7602e30e5dbeaba7a28cb46d906b3821

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs-1.js

Filesize
15KB

MD5
85450ac18dc6aedc859cabd8da469263

SHA1
1f614fbe3a95453abf91506e4c211dfe05057c8e

SHA256
b496fc8cbfc7d997c42c41385da38548f0aaed44e4f7f057818fa0a3d4d65a72

SHA512
6b5295dc6e905f35f10000c9818247444c52bfb65af8c01038a8dd99d3809466d96179084acd0f8e7f1e7bada3cae35ec024a3e0d34c594a923cf186be9413b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\prefs.js

Filesize
10KB

MD5
147d5e40685768ac30401f59bc5af41c

SHA1
8af3587224ec3601ecbde12eac5c1d8dd9ff6919

SHA256
2fd0e22270b20a5284a8e9ca4514c21cf3b9f004ccdf9590cee118aa8243cfdf

SHA512
07c3bdd4b6cf16cb1a7210b7d80748a30af5aa9e1d0e71b48fa8337fa7dbe55951c3335439d4ab0f88554717252824cb43a3975459b17806db233f21cd30391d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\igamsxea.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
04cfbbaed29a51ac9899c2d1b89c7eca

SHA1
1e0b4ed86fb8b76a0a99f69e8e164d21b5b7a0fe

SHA256
e252030b95cf9577c36dbbd205c73e3d91eedc08f73f6651a104e33f73bd028d

SHA512
ef4736daba9c055cd944a66f5cbfad42b984f7a29e8fc8b91c9556d5e3f4022d3f6612e07d8aef3d4a76e1f3c174f8604132b499cfdbe4f534add8380b9d251f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-bn.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-mr.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3872_965523755\hyph-nn.hyb

Filesize
141KB

MD5
f2d8fe158d5361fc1d4b794a7255835a

SHA1
6c8744fa70651f629ed887cb76b6bc1bed304af9

SHA256
5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809

SHA512
946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

Download Submit
memory/2620-16-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-14-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-15-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-13-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/2620-4-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/2620-17-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-420-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download