stormkitty | c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe
Size

771KB
MD5

bc827fbe66a38ef110d75f9fb2534093
SHA1

782e259f95bc98627754962c5f189287a256a5b1
SHA256

c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4
SHA512

72e4dea0647ea4dec2b00ebc02c246c4479fd85b1fddde934f0c9e289bfed332d35efc1a9e3bcb785f8540e4be8841d982af87bf682a56e6b6338656050b069e
SSDEEP

12288:bV0XL6xDIxsWZEWbRQBs4sKmIiAFtOmn/plpVBMiPUXKSU6Sria9HtIW1QlU3g:bVO6KZEW9QB7xmIiIznRlpVawlrWQp+

Score

10^/10

stormkitty collection spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Xdbvimbn.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Xdbvimbn.exe	family_stormkitty
behavioral2/memory/4468-144-0x0000000000960000-0x0000000000A0C000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe	family_stormkitty

Executes dropped EXE 5 IoCs

Processes:

Tknsjaywoelf.exeXdbvimbn.exeVisualHDController.exeVisualHDController.exeVisualHDController.exe

pid process

1384 Tknsjaywoelf.exe
4468 Xdbvimbn.exe
4944 VisualHDController.exe
3136 VisualHDController.exe
3068 VisualHDController.exe

pid	process
1384	Tknsjaywoelf.exe
4468	Xdbvimbn.exe
4944	VisualHDController.exe
3136	VisualHDController.exe
3068	VisualHDController.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Xdbvimbn.exeVisualHDController.exeVisualHDController.exec58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Xdbvimbn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	VisualHDController.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	VisualHDController.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

VisualHDController.exeVisualHDController.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 icanhazip.com

flow	ioc
14	icanhazip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

Processes:

Xdbvimbn.exeVisualHDController.exeVisualHDController.exe

pid	process
4468	Xdbvimbn.exe
4468	Xdbvimbn.exe
4468	Xdbvimbn.exe
4468	Xdbvimbn.exe
4468	Xdbvimbn.exe
4468	Xdbvimbn.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
3068	VisualHDController.exe
3068	VisualHDController.exe
3068	VisualHDController.exe
3068	VisualHDController.exe
3068	VisualHDController.exe
3068	VisualHDController.exe
3068	VisualHDController.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3988 4944 WerFault.exe VisualHDController.exe

pid	pid_target	process	target process
3988	4944	WerFault.exe	VisualHDController.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VisualHDController.exeVisualHDController.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	VisualHDController.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	VisualHDController.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	VisualHDController.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	VisualHDController.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3620 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3880 timeout.exe

pid	process
3620	schtasks.exe

pid	process
3880	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Xdbvimbn.exeVisualHDController.exemsedge.exemsedge.exe

pid	process
4468	Xdbvimbn.exe
4468	Xdbvimbn.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
2304	msedge.exe
2304	msedge.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe
4944	VisualHDController.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exemsedge.exe

pid process

60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
2044 msedge.exe
2044 msedge.exe

pid	process
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Xdbvimbn.exeVisualHDController.exemsiexec.exeVisualHDController.exe

description	pid	process
Token: SeDebugPrivilege	4468	Xdbvimbn.exe
Token: SeDebugPrivilege	4944	VisualHDController.exe
Token: SeSecurityPrivilege	816	msiexec.exe
Token: SeDebugPrivilege	3068	VisualHDController.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

60 msedge.exe
60 msedge.exe
60 msedge.exe
2044 msedge.exe

pid	process
60	msedge.exe
60	msedge.exe
60	msedge.exe
2044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exeXdbvimbn.exeVisualHDController.execmd.execmd.execmd.exemsedge.exemsedge.exe

description	pid	process	target process
PID 5040 wrote to memory of 1384	5040	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe	Tknsjaywoelf.exe
PID 5040 wrote to memory of 1384	5040	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe	Tknsjaywoelf.exe
PID 5040 wrote to memory of 1384	5040	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe	Tknsjaywoelf.exe
PID 5040 wrote to memory of 4468	5040	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe	Xdbvimbn.exe
PID 5040 wrote to memory of 4468	5040	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe	Xdbvimbn.exe
PID 5040 wrote to memory of 4468	5040	c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe	Xdbvimbn.exe
PID 4468 wrote to memory of 4944	4468	Xdbvimbn.exe	VisualHDController.exe
PID 4468 wrote to memory of 4944	4468	Xdbvimbn.exe	VisualHDController.exe
PID 4468 wrote to memory of 4944	4468	Xdbvimbn.exe	VisualHDController.exe
PID 4944 wrote to memory of 3200	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 3200	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 3200	4944	VisualHDController.exe	cmd.exe
PID 3200 wrote to memory of 3880	3200	cmd.exe	timeout.exe
PID 3200 wrote to memory of 3880	3200	cmd.exe	timeout.exe
PID 3200 wrote to memory of 3880	3200	cmd.exe	timeout.exe
PID 3200 wrote to memory of 3620	3200	cmd.exe	schtasks.exe
PID 3200 wrote to memory of 3620	3200	cmd.exe	schtasks.exe
PID 3200 wrote to memory of 3620	3200	cmd.exe	schtasks.exe
PID 4944 wrote to memory of 3380	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 3380	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 3380	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 4132	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 4132	4944	VisualHDController.exe	cmd.exe
PID 4944 wrote to memory of 4132	4944	VisualHDController.exe	cmd.exe
PID 3380 wrote to memory of 4404	3380	cmd.exe	chcp.com
PID 3380 wrote to memory of 4404	3380	cmd.exe	chcp.com
PID 3380 wrote to memory of 4404	3380	cmd.exe	chcp.com
PID 4132 wrote to memory of 4772	4132	cmd.exe	chcp.com
PID 4132 wrote to memory of 4772	4132	cmd.exe	chcp.com
PID 4132 wrote to memory of 4772	4132	cmd.exe	chcp.com
PID 3380 wrote to memory of 3448	3380	cmd.exe	netsh.exe
PID 3380 wrote to memory of 3448	3380	cmd.exe	netsh.exe
PID 3380 wrote to memory of 3448	3380	cmd.exe	netsh.exe
PID 4132 wrote to memory of 3468	4132	cmd.exe	netsh.exe
PID 4132 wrote to memory of 3468	4132	cmd.exe	netsh.exe
PID 4132 wrote to memory of 3468	4132	cmd.exe	netsh.exe
PID 3380 wrote to memory of 5104	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 5104	3380	cmd.exe	findstr.exe
PID 3380 wrote to memory of 5104	3380	cmd.exe	findstr.exe
PID 4944 wrote to memory of 444	4944	VisualHDController.exe	msedge.exe
PID 4944 wrote to memory of 444	4944	VisualHDController.exe	msedge.exe
PID 444 wrote to memory of 3808	444	msedge.exe	msedge.exe
PID 444 wrote to memory of 3808	444	msedge.exe	msedge.exe
PID 4944 wrote to memory of 60	4944	VisualHDController.exe	msedge.exe
PID 4944 wrote to memory of 60	4944	VisualHDController.exe	msedge.exe
PID 60 wrote to memory of 3040	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3040	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1176	60	msedge.exe	msedge.exe

outlook_office_path 1 IoCs

Processes:

VisualHDController.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe

outlook_win_path 1 IoCs

Processes:

VisualHDController.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VisualHDController.exe

C:\Users\Admin\AppData\Local\Temp\c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe
"C:\Users\Admin\AppData\Local\Temp\c58a1b0ae9500be913696eb4791136fe7713a8c073610c8f86f7dd26989d06b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\Tknsjaywoelf.exe
"C:\Users\Admin\AppData\Local\Temp\Tknsjaywoelf.exe"
2⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\Xdbvimbn.exe
"C:\Users\Admin\AppData\Local\Temp\Xdbvimbn.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
"C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9232.tmp.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:3880

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "System Language Driver ver1.25" /tr "'C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe"'
5⤵
- Creates scheduled task(s)
PID:3620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4404

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:3448

C:\Windows\SysWOW64\findstr.exe
findstr All
5⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4772

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x74,0x104,0x7fff7c0746f8,0x7fff7c074708,0x7fff7c074718
5⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:13954
4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7c0746f8,0x7fff7c074708,0x7fff7c074718
5⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
5⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
5⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
5⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
5⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 /prefetch:8
5⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5472 /prefetch:8
5⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
5⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7099261080912010881,16263814715951633706,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
5⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2404
4⤵
- Program crash
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
"C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe"
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4944 -ip 4944
1⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
"C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3068

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2⤵
PID:2620

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4708

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
3⤵
PID:1180

C:\Windows\SysWOW64\findstr.exe
findstr All
3⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2⤵
PID:3744

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3892

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:12865
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7c0746f8,0x7fff7c074708,0x7fff7c074718
3⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11174583550617433334,1434353971576653641,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
3⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11174583550617433334,1434353971576653641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
3⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,11174583550617433334,1434353971576653641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
3⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11174583550617433334,1434353971576653641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
3⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11174583550617433334,1434353971576653641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
3⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,11174583550617433334,1434353971576653641,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1908 /prefetch:8
3⤵
PID:524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
74e39128d3525e05a050ba1ffb3ae14f

SHA1
740458d630ce6ee92316e14433c2c11f2bfaa7ed

SHA256
b3affbddb1a08fff5dca49c613ed3f820887a4cd23d2b25ceb85dd641bedf2ea

SHA512
cc8e112740559d6cb82e07a42eb4af12f77ab6d2a4387e6910e0233d1a463452b2627b9b29ec389c3100ecc4b096116c411cf8045a0c95f8d13f598d0e0efc53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
1471fc82fd6aba7f92fb05d7eec1bcdf

SHA1
4d40125cb8326137a1a5d46c6e5466745f76f50a

SHA256
983cd39cb614d86623bb4b188633f237c90897ada51d1d8a1b5272eb7b438ba8

SHA512
7a878b9c1e633031f4044620ddf4f195ec2c69b37bbf23dc8fff5852f8ab6d4216683d2872b41c0290a14d96eba7b74b05e8cff81c70b8fe7702aec0fad41283

Download Submit
C:\Users\Admin\AppData\Local\CFFD99D0A92C5917C47D
Filesize
274B

MD5
44ae04719ab00c3e633feb4f7c1d3049

SHA1
3d5aca5a15637be89167481894511bc7a0bc9abb

SHA256
e61766442b0ec515fd378ea924a9e3addaf459731f6ad7f1ff98181b8a4e615c

SHA512
a051e4876a3c2f6bae04725215540d5b5857a97907ec9f7a7382eb4f2198e97223f4603f447b570d3d7f5561aac489aa37e637417d33813f2a2821cb6c85c38d

Download Submit
C:\Users\Admin\AppData\Local\CFFD99D0A92C5917C47D
Filesize
20B

MD5
a4c301793da751db358f8429a91b564d

SHA1
abf568085d2389755419c467c33709c171b64ec9

SHA256
f64d9fb7a6bfaad6c29f0089fe66644428a155d55110ee7b6e6c7f80424f8ca4

SHA512
cbde04ada630c3b58a91f4d8fa18a373b7663e04a3fc85b73b07d735c84c5eaaf9a6081ba8f5f2b8cda6804137116de0f446b00cf8885750960f607cc152198c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VisualHDController.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c671a6a3920cf5a5a7b5641546564b1

SHA1
a32dc7eb5fbcabfd80bd3cc83feb61cb439f3049

SHA256
88d8dd693b6f739068b9aff5c6cc8b036af8cd00f0f4df07fe339393045ec417

SHA512
10f63235b9b1d7bc0935ad1fbfd1dcf3d3fb25adba141d951f4fb99f1d01c870de7ed34cfc447598295fc8f051050e949f4eb663a435d3315f953a5896ef7c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
a4779dd6505d9997de436c3f92945938

SHA1
9eae85f2965706944e9259d9d276fb9d0ffcfa55

SHA256
ef45b9d31aedd152a03e7873d33d92acc49439d5967f77c6a71368a3eb37f3eb

SHA512
d1ef5abd6466bc9a22c782788d75d88f037e4f78c3493ddf37e11b0eba2fc3d15081db22f6c5851895a364ec7fda0af96e72bbf7d21aef1a6ec960f5e0a2f3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index
Filesize
48B

MD5
a4779dd6505d9997de436c3f92945938

SHA1
9eae85f2965706944e9259d9d276fb9d0ffcfa55

SHA256
ef45b9d31aedd152a03e7873d33d92acc49439d5967f77c6a71368a3eb37f3eb

SHA512
d1ef5abd6466bc9a22c782788d75d88f037e4f78c3493ddf37e11b0eba2fc3d15081db22f6c5851895a364ec7fda0af96e72bbf7d21aef1a6ec960f5e0a2f3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index
Filesize
256KB

MD5
582bd5640a7b0c8e3040670d02522374

SHA1
716255c2fe8545db1813dc142d63a4ea0646dc04

SHA256
9606b9b31507de7eff404552ce626a29557e17659588d5978e799a604ff690a3

SHA512
88b944d3bd079bd30ed8bbf3a511245d42d1988172bfc5a1fd92d89a980a9510175619388fb24fb6a099a454fad43cf2d53aadc32b979f9fcfd47ba0d521a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
77cd4b7f7212aa1a374cb8fd77044bba

SHA1
1021e8b1dbbb97c7532bd018bfc51bb01fb8110a

SHA256
aeba6ce241de2db8331ecb36a0de619fab9752fdb56ded9adc6456d7b4bb00b6

SHA512
4ac0c51c562fb77b61db678f3f69919669c036feb355f3b2820075400e68ed95fd4e3051939d518a2da1387f8130fe19b59ec7fb7b1cf41182c74a358f9d6343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
bd7edc606dc6ffa212cf1d9669eddcc4

SHA1
7631bff2cc3a9e16045e54611d0806826e84a1e7

SHA256
ac36a3eb6d721b632a2d558b2119fa0750a36125fd201b3a5788e1ac841dfb49

SHA512
5718227a87b1d3a522594a9396c8ef511d94ef03bc47735392652ef9974d2e170326c7ff54e8629ee437294de751b1f61f0ea11cd787cb056bceeef202f6cad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c3d5d4e0350f7cc1eec2ff69ae4f39f1

SHA1
53c685a67559285ab7796b9834f45623abb7ae2d

SHA256
9535b5e181fc548db3869d2f1697842ba5484c634919f4a13792789068ac2afd

SHA512
59609f8c5f0964f4683aeb4ee2048f87fa4f3e0a3a86fc450e56f96f46472a723fc98591fb7969314b142e4aca9021d8661638e30fe6f5408032947beaadaba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13319505145660291
Filesize
319B

MD5
90e17ab0398ff00e5b53202c83e65fe2

SHA1
bd069d07fe6cbdad5af29eb66565621fff249a34

SHA256
0fb3c4bc533e0873f4a6965dfb8d864bffb4238d18ecb7a2d7df26f7d12dc617

SHA512
3c272afd9eb095f54b5c3aca036813389f0ddd9233865e408b9186614fb14265a4620b455f55e668e9040862bb777de029265573ec9d24039ff50ca82d8a8864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
350B

MD5
f6997a79e743a18500bf704ab97f9940

SHA1
39a07d3ffa04fe21a8d8709113ecc613aa639680

SHA256
5bba9f61168879983580e31c88d833986bc7ef315d199839fdc74a2aed8b06ee

SHA512
2553f156ace16eb172bc31be5bf9c9b107d8964bb2ee530ef23ea1195d7cc87a8f1f0d2f9db6a838590c0a3ed52215d5a15c9974e5f39d8b883b2e3670676bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
335321d2d114d6d9f952725a92318067

SHA1
a171cef070867c215ed37173d1c8db40e418e01e

SHA256
88388ee7dc8c70a84a803ae1a9722b00a1f45d9aae789e57b15609a637375a71

SHA512
41b458b54b2b76157e7653a41658ae84da2cf267794a79effab17d52ad382c9e7a9e722333ad98cfd33966413293a867f8e2d9c6d0a2be32b4eac2812c19a1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites
Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
8c38eba1303ad9ce99a7d5456be13d9a

SHA1
02f56a771d9c03dce2efe27ed519d017be37d803

SHA256
5363e175fa344c6530c6aedd6264425a51f18b552278d21c5368b4a535d7529a

SHA512
b41d0d051cc86b497c576b390f5edf028548bf48841e49d65f607485312f8fb9d93c16303a575622c04af8906b590d4ddfafdef09d45f954f4db0d41b40616c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
Filesize
100KB

MD5
67232b2ea59d7ce1ce4f85cca5d21a1f

SHA1
7452d977b7bfc47f1e266124377a7983b1a95b1f

SHA256
07430a923790ab989f740c986b2435e48de6282ad12318c3177a0fce57933a24

SHA512
a7725ec60671d019015dc600ca49ae713ac6ba8fce98b54b00d93ce2958520a4d55cff2a4de2921030ec0a1eef05df5bdbaab85be6a5173260d949f35c74fc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
279B

MD5
2b7eef7e3785143a0567993239ebebd5

SHA1
a0b59c51c1240182ca52dabc68c7e4fcc4e8f327

SHA256
b395e1d1fc62d132e977d2d41b3b15107fb8b96ffaad417a8e56ce7596efce7d

SHA512
1b7f13e421a8f391243236c65e85b08bea7e02533d5bb048495436124f07c3a3090dfe56bac022218fb3dcb3698e8c0390a4ee9fafa9ddca47959b4d4a5e8ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
160B

MD5
2e19a9040ed4a0c3ed82996607736b8f

SHA1
5a78ac2b74f385a12b019c420a681fd13e7b6013

SHA256
2eeb6d38d7aad1dc32e24d3ffd6438698c16a13efd1463d281c46b8af861a8ce

SHA512
86669994386b800888d4e3acb28ab36296594803824d78e095eb0c79642224f24aca5d2892596ac33b7a01b857367ed3a5e2c2fb3405f69a64eb8bf52c26753f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
297B

MD5
022d7843d9184aa7d61413c316f123b1

SHA1
d53ea6efeecee4080ad6493e5f7107c8c5635cae

SHA256
a5a3dfd72cb866c060a80448afce4ccf43e7907c24e268a225bed618746d9b90

SHA512
d833f3bd9362f17dce1b65dfc1fa9ae8991df47b90fc4f89387561ebac8ba206b51b0e23d51fff7c6bef46528772126e11c0bba9b8f1fcc4936c6477f58b3afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
96389d3f10224689b6236c73a657dbd4

SHA1
8346f25cf7ee808ece9dbdbe327067cbdc6151a4

SHA256
c40d7288faab22926c3eb178aa9bcdc3d33ea9e3e0cb43bd9a556df4ffcb5e8d

SHA512
8d6c4df077419afa2b5a686ca812eda20960f6ef87a75b5e176116be15e46cca07ac7310038996960639a614688c372a6adc0d77214826d3a8deb2d398b7e71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638106232478359355
Filesize
158B

MD5
97da35dcf164c8bba904c835accf443b

SHA1
855a92eba78b27050c6a5c03b00c757a28580f1b

SHA256
5b714ba1fc70ccea7accfdbd41fc71556dd490709c668a65fc905d0b00bdda80

SHA512
3f007c187735a7bf30e68f36aedf665a859fc67dcdf525b4576ed7e420e80b1e17659ef7c21f3afc78324084b63f028b63b84afb7ea5e95a6dad8be803129bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tknsjaywoelf.exe
Filesize
180KB

MD5
bf7904c82b54e12960cdd516d4e117fe

SHA1
e4c59e621f459e0ff96a51b813ddb07f6cd4981a

SHA256
6cdb5139647807821a7c443eb5fb31e138d4d290fd63ba64b85955d388df1969

SHA512
d231b155046286ae1ead6f2179c82437ab9d7efd9f7e9f020ba29c167f28b3ead0dcea81da1fdfd663993aa730373327bb3254a612f9b7a7943e9763488568e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tknsjaywoelf.exe
Filesize
180KB

MD5
bf7904c82b54e12960cdd516d4e117fe

SHA1
e4c59e621f459e0ff96a51b813ddb07f6cd4981a

SHA256
6cdb5139647807821a7c443eb5fb31e138d4d290fd63ba64b85955d388df1969

SHA512
d231b155046286ae1ead6f2179c82437ab9d7efd9f7e9f020ba29c167f28b3ead0dcea81da1fdfd663993aa730373327bb3254a612f9b7a7943e9763488568e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visual HD Controller ver7.76\VisualHDController.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xdbvimbn.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xdbvimbn.exe
Filesize
660KB

MD5
6871ac1e5748b36b8ba9535d979d4091

SHA1
444ddfc86010ffb7d0d06d8166c8b65f1f89f9b3

SHA256
8966a400b37314c1480ab2a04dd7504ee93eae3b85750feaeda55d8a3e772d8c

SHA512
983333a39d3c13dc1f8543b9e2bd99e69fa998e15ff8ea61193ee093beb918abc823ab191202dfc32a8c2394c7223e66fcd7837a5f5b32e3a670730a9fa3c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9232.tmp.cmd
Filesize
303B

MD5
b00ce281f0aa7a3c5e3f4aa9684c8bdf

SHA1
dddfc2476415c6e602636c725ef22be3a3c23330

SHA256
effb026e3736bb0d3f566c52f7d0da9caa93cc1a46a4f53bd02946bb6f4fe747

SHA512
21c5c042639513f34e1cfbaf15a301bcd0f347e25833aa993c7cc1372cd14e04291de87b4ede624f77f286252e771ebe2da61281f7ca22fe0f15981402340e4c

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2044_EBXKMSSGALWTSZVI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_60_VNQTLIKJONSMFREJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-164-0x0000000000000000-mapping.dmp

Download
memory/444-162-0x0000000000000000-mapping.dmp

Download
memory/524-255-0x0000000000000000-mapping.dmp

Download
memory/1176-168-0x0000000000000000-mapping.dmp

Download
memory/1180-204-0x0000000000000000-mapping.dmp

Download
memory/1384-136-0x0000000000000000-mapping.dmp

Download
memory/1384-143-0x00000000048D0000-0x000000000496C000-memory.dmp

Filesize
624KB

Download
memory/1384-145-0x0000000004BA0000-0x0000000004BF6000-memory.dmp

Filesize
344KB

Download
memory/1384-142-0x0000000000010000-0x0000000000042000-memory.dmp

Filesize
200KB

Download
memory/1396-234-0x0000000000000000-mapping.dmp

Download
memory/1776-174-0x0000000000000000-mapping.dmp

Download
memory/1808-206-0x0000000000000000-mapping.dmp

Download
memory/1848-227-0x0000000000000000-mapping.dmp

Download
memory/2044-207-0x0000000000000000-mapping.dmp

Download
memory/2304-169-0x0000000000000000-mapping.dmp

Download
memory/2352-176-0x0000000000000000-mapping.dmp

Download
memory/2616-185-0x0000000000000000-mapping.dmp

Download
memory/2620-200-0x0000000000000000-mapping.dmp

Download
memory/3040-165-0x0000000000000000-mapping.dmp

Download
memory/3068-257-0x00000000051D9000-0x00000000051DF000-memory.dmp

Filesize
24KB

Download
memory/3068-256-0x00000000051D9000-0x00000000051DF000-memory.dmp

Filesize
24KB

Download
memory/3104-172-0x0000000000000000-mapping.dmp

Download
memory/3200-151-0x0000000000000000-mapping.dmp

Download
memory/3288-181-0x0000000000000000-mapping.dmp

Download
memory/3380-155-0x0000000000000000-mapping.dmp

Download
memory/3448-159-0x0000000000000000-mapping.dmp

Download
memory/3468-160-0x0000000000000000-mapping.dmp

Download
memory/3620-154-0x0000000000000000-mapping.dmp

Download
memory/3676-224-0x0000000000000000-mapping.dmp

Download
memory/3680-241-0x0000000000000000-mapping.dmp

Download
memory/3744-201-0x0000000000000000-mapping.dmp

Download
memory/3808-163-0x0000000000000000-mapping.dmp

Download
memory/3880-153-0x0000000000000000-mapping.dmp

Download
memory/3892-203-0x0000000000000000-mapping.dmp

Download
memory/4012-205-0x0000000000000000-mapping.dmp

Download
memory/4132-183-0x0000000000000000-mapping.dmp

Download
memory/4132-156-0x0000000000000000-mapping.dmp

Download
memory/4136-225-0x0000000000000000-mapping.dmp

Download
memory/4404-157-0x0000000000000000-mapping.dmp

Download
memory/4468-139-0x0000000000000000-mapping.dmp

Download
memory/4468-146-0x0000000005220000-0x0000000005286000-memory.dmp

Filesize
408KB

Download
memory/4468-144-0x0000000000960000-0x0000000000A0C000-memory.dmp

Filesize
688KB

Download
memory/4588-208-0x0000000000000000-mapping.dmp

Download
memory/4620-178-0x0000000000000000-mapping.dmp

Download
memory/4708-202-0x0000000000000000-mapping.dmp

Download
memory/4772-158-0x0000000000000000-mapping.dmp

Download
memory/4944-192-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4944-189-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4944-194-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4944-179-0x0000000004FE9000-0x0000000004FEF000-memory.dmp

Filesize
24KB

Download
memory/4944-186-0x0000000004FE9000-0x0000000004FEF000-memory.dmp

Filesize
24KB

Download
memory/4944-187-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4944-188-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4944-191-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4944-147-0x0000000000000000-mapping.dmp

Download
memory/4944-190-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/5040-132-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5040-135-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/5040-134-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/5040-133-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/5104-161-0x0000000000000000-mapping.dmp

Download