9f7825c841e8dbc812b0c6924c2c5237f3e3ecb3e73a49462ebb67129c636159

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hack-browser-data-windows-64bit.exe
Size

7.5MB
MD5

75bd8ba4bbadab80ff13e6c90f0dc779
SHA1

253042ad1db168cb13ff4847dfca375d13f9700a
SHA256

9f7825c841e8dbc812b0c6924c2c5237f3e3ecb3e73a49462ebb67129c636159
SHA512

8c568beaeb3938359c9d3b9e895748a2450b63602a1238fc9f54a993ebeb9145b3e8ae4ffd97f75dc2dbcee31f95a723fa1f6a874a576c740a73bf4b779e3734
SSDEEP

49152:JiEZCAb6vv9TzK3U7V4Y8prk3ds2HcFxN7aZ3A8KvYANeiouCicZh3uT3p2zgA4V:EtG63dt8gojjN/C9np1s

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d04ba74b2288da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e039b34b2288da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9f0ae4e2288da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006076f64e2288da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ff8334c2288da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067be804f2288da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a31e3b4c2288da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3ef284b2288da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b87b324b2288da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033d8724b2288da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009544614c2288da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000519e774b2288da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3540	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
692	msedge.exe
692	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	3232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3232	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4428	3232	SearchIndexer.exe	110
PID 3232 wrote to memory of 4428	3232	SearchIndexer.exe	110
PID 3232 wrote to memory of 2636	3232	SearchIndexer.exe	111
PID 3232 wrote to memory of 2636	3232	SearchIndexer.exe	111
PID 4904 wrote to memory of 4404	4904	msedge.exe	124
PID 4904 wrote to memory of 4404	4904	msedge.exe	124
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2580	4904	msedge.exe	125
PID 4904 wrote to memory of 2140	4904	msedge.exe	126
PID 4904 wrote to memory of 2140	4904	msedge.exe	126
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127
PID 4904 wrote to memory of 2684	4904	msedge.exe	127

C:\Users\Admin\AppData\Local\Temp\hack-browser-data-windows-64bit.exe
"C:\Users\Admin\AppData\Local\Temp\hack-browser-data-windows-64bit.exe"
1⤵
PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1908

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnlockUse.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4428
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta75b65abh4f0dh4fe4h8137hc54850bb0d4c
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd41a646f8,0x7ffd41a64708,0x7ffd41a64718
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,14986695392703851393,12703770440062560577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,14986695392703851393,12703770440062560577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,14986695392703851393,12703770440062560577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0f05d783h75b9h47e6h81aeh15a8c33c31ce
1⤵
PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd41a646f8,0x7ffd41a64708,0x7ffd41a64718
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,6198585348150301109,14329034547119518454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,6198585348150301109,14329034547119518454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,6198585348150301109,14329034547119518454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0b728216-8cbf-4d72-991c-99ff61f1bfef.tmp

Filesize
8KB

MD5
e351d45fdb15f4cd31c3d4d1a0511b43

SHA1
149580288682555492109da7384858514a8fd2b0

SHA256
1ab189e476b330d70ce8ee4a1b543c0e0c688597a738f86e21a0f822b8b30efc

SHA512
269d6e85c334306fa67f5b8b55ac6deabd3e8c03284da520ab85230c8b448d255de9a163a983c1fe6d70e4c682798dfb086406472eede186f2888fe0c055de78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
77452c99a412821919c831c8ba8547ca

SHA1
035c7029d515c1e94c617ab344c0cd6475e25e8d

SHA256
6bdbf093b9d163d571f000165c0401ebb932c935d006056d5b80ca9e206c4085

SHA512
9006a742b3eaa35c21cc428166972c82a0721bee4cb610f0338996d8ff5ea429a832e7850ba0b020615caf2d18387ae0140ff4452fea6fd91f65095df6ab9a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19a1d5d843b304afcdfff3e9c316eff3

SHA1
3d7414bdac97ddbbc849e05803ce42d6f29e62b5

SHA256
b24ca0cc30e3186a00466bcfa5ba9ef78061412b6f11cb1388bed8f70f78d565

SHA512
209a3a23e3174bdb8e5beab46a790c300530d7491d072252a2d3d25218c8084bbb53c78b9d1c555e2c046705db547de1fb719230575c4acf57d64d0cd42357b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
406489acc87826e893940e2348efb474

SHA1
70d78b2838cd6fabc94fffe53f497baf3b7b6019

SHA256
9404f09c0e7d01fe90e9fed4d3232234f2f1f5fed8459d342fe45c52cd8d695e

SHA512
becf3bee4cb81040ee4b903cb45a8550c4e86c1d5fc5b933bb2b301659a545e3ba1ae4193ceb681ac4a3b5dd48c2dd9d0778fb05730c173e5129f0afb2a6b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
0af4bc04c0f3a3ef0bedaea21d37fd09

SHA1
16dd9714b549b08792830bdd940c4c2a7e2a5937

SHA256
93df4198f1de20e91bee7ffae8ee21a23abefb45b900445824226dd2469595a3

SHA512
41dbe5a92c41483cc57ed5cb1e2a7246d068425c2f0b5ca2eab6879a2532284f6977b486f1f1a801490c314503fc4ca69b447a0bea59f415bcc130c6f827038e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\localStorage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sessionStorage\000004.ldb

Filesize
141B

MD5
800964100bf5522029908e4d62c8cb86

SHA1
28fa46ca8b867b24975ffa2e164a08dcb8c3838d

SHA256
4320e36c155668faf70df6378ed4748e176a45f9b38996f5529fb8dbaf7a46be

SHA512
511d001b6a05f93f113924a60cf225d03811527a2fe915b25c0305fe64f8dfc8600ae67ebe51246852eb11ea063621801c4e028292626f49ddd989ef0b245936

Download Submit
C:\Users\Admin\AppData\Local\Temp\sessionStorage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\sessionStorage\CURRENT.6

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
255B

MD5
3ad8413a41ef0e1393e5c0bea5a90fa1

SHA1
56e9d93952249b6a22d2271b8376cd2a1ccc4986

SHA256
670c3e1c76dddeea00f2920017524d7b55c711f9f653e1bc106cda132e8e9a8e

SHA512
5fd036f15eaa3ceea2c96a99087e33ed74cbb4c353095b808ed8733bc0df661e13cde2d9430b4dc6a75d0c7bb7fc2af0426a197e3452f8cab49dcfc6cdc498ab

Download Submit
memory/2636-348-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-300-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-383-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-382-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-380-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-378-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-375-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-374-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-373-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-371-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-370-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-360-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-359-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-261-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-262-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-260-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-263-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-265-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-264-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-266-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-267-0x000001D68C4A0000-0x000001D68C4A1000-memory.dmp

Filesize
4KB

Download
memory/2636-268-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-270-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-271-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-269-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-274-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-276-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-277-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-275-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-273-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-272-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-278-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-279-0x000001D68C4C0000-0x000001D68C4D0000-memory.dmp

Filesize
64KB

Download
memory/2636-280-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-281-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-286-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-287-0x000001D68C6C0000-0x000001D68C6D0000-memory.dmp

Filesize
64KB

Download
memory/2636-288-0x000001D68C6C0000-0x000001D68C6D0000-memory.dmp

Filesize
64KB

Download
memory/2636-299-0x000001D68C6C0000-0x000001D68C6D0000-memory.dmp

Filesize
64KB

Download
memory/2636-358-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-301-0x000001D68C6C0000-0x000001D68C6D0000-memory.dmp

Filesize
64KB

Download
memory/2636-305-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-306-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-311-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-312-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-319-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-325-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-324-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-328-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-333-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-346-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-347-0x000001D68CB40000-0x000001D68CB50000-memory.dmp

Filesize
64KB

Download
memory/2636-345-0x000001D68C6C0000-0x000001D68C6D0000-memory.dmp

Filesize
64KB

Download
memory/2636-344-0x000001D68C4C0000-0x000001D68C4D0000-memory.dmp

Filesize
64KB

Download
memory/2636-354-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-349-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/2636-351-0x000001D68C470000-0x000001D68C480000-memory.dmp

Filesize
64KB

Download
memory/3232-240-0x0000023E6BC90000-0x0000023E6BCA0000-memory.dmp

Filesize
64KB

Download
memory/3232-224-0x0000023E6BB90000-0x0000023E6BBA0000-memory.dmp

Filesize
64KB

Download
memory/3232-256-0x0000023E70180000-0x0000023E70188000-memory.dmp

Filesize
32KB

Download
memory/3540-185-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-187-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-223-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-219-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-220-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-221-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-222-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-184-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-188-0x00007FFD1F330000-0x00007FFD1F340000-memory.dmp

Filesize
64KB

Download
memory/3540-186-0x00007FFD1F330000-0x00007FFD1F340000-memory.dmp

Filesize
64KB

Download
memory/3540-181-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-183-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-182-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-180-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-179-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-178-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-176-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/3540-177-0x00007FFD61AD0000-0x00007FFD61CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-175-0x00007FFD21B50000-0x00007FFD21B60000-memory.dmp

Filesize
64KB

Download
memory/4888-174-0x0000000000C50000-0x0000000001437000-memory.dmp

Filesize
7.9MB

Download