hxxps://attachments[.]office[.]net/owa/jimmir%40eltiempo[.]com/service[.]svc/s/GetAttachmentThumbnail?id=AQMkADkyMzY5ZmMxLTU3YjYtNGFlNy1iZTczLTBhNTBmMDVjMTNjMABGAAADYhk3Tp76DEicwDVyEVo4pwcAR0xPeEhykki7c7sWkXlpywAAAgEKAAAAR0xPeEhykki7c7sWkXlpywABuIFhGwAAAAESABAAlzZVH5i17UqZl8io4zSV7Q%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ[.]eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiYTQ4YmUzNjYwM2QzNGZmZDkxYThiNGIxZTFkNTUzMDciLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJpc3NyaW5nIjoiU0lQIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzODAxMTIwODYzNzk1NjE3XCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiYTVhM2RmYzQtNGU5OC00ZWZkLWJlYTAtYjU0OGQyMTQyNmRlXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xODAzOTYxNTIyLTc4NzA0MzU0NS0xMjUxODQyODQxLTI3NDAyMzgwXCJ9IiwibmJmIjoxNjkyOTE2MjcwLCJleHAiOjE2OTI5MTY4NzAsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJoYXBwIjoib3dhIn0[.]th1Cp4rb3mPaOO2kB3v_IF4rkfUEQNeZy6lDwM7TSYcnPi_kM49LGYK57-fw0A13-prGJU9tkgBo6Js8FQdI0ER3eNxFUdZv637GzKLCZrGva_fJ3NOh3hZVR6ENZc26NJefn1_dy-a84ALTjw0HjRWJ_2ngCfMxyInrjWvyWU2ZL1yJ4_r9c-YBFpJ0VVKyC0H1hrMzHu_A6-hb1zoO_mpiSx9LLvWRD-WxzhXqAe5wY7Dv1fYhsD3NMZpGa_a165NkJIDqRtarnIpx30TQyDDuoRnXmGPE4oe3v7U1LolbcoBEYM-4vIrMPBO3B8Vh5J3rDf9kUaiwXM5Beuai2g&X-OWA-CANARY=W3U48W4KQEicPsPXthlQt9DXpk3ypNsYoa-cYUoXDnoM_LBkVnks-WXTm199VS1LrT6rvGp_6hU[.]&owa=outlook[.]office[.]com&scriptVer=20230818006[.]04&animation=true

Analysis

max time kernel
148s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 22:35

Sharing

Behavioral task

behavioral1

Sample

https://attachments.office.net/owa/jimmir%40eltiempo.com/service.svc/s/GetAttachmentThumbnail?id=AQMkADkyMzY5ZmMxLTU3YjYtNGFlNy1iZTczLTBhNTBmMDVjMTNjMABGAAADYhk3Tp76DEicwDVyEVo4pwcAR0xPeEhykki7c7sWkXlpywAAAgEKAAAAR0xPeEhykki7c7sWkXlpywABuIFhGwAAAAESABAAlzZVH5i17UqZl8io4zSV7Q%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiYTQ4YmUzNjYwM2QzNGZmZDkxYThiNGIxZTFkNTUzMDciLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJpc3NyaW5nIjoiU0lQIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzODAxMTIwODYzNzk1NjE3XCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiYTVhM2RmYzQtNGU5OC00ZWZkLWJlYTAtYjU0OGQyMTQyNmRlXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xODAzOTYxNTIyLTc4NzA0MzU0NS0xMjUxODQyODQxLTI3NDAyMzgwXCJ9IiwibmJmIjoxNjkyOTE2MjcwLCJleHAiOjE2OTI5MTY4NzAsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJoYXBwIjoib3dhIn0.th1Cp4rb3mPaOO2kB3v_IF4rkfUEQNeZy6lDwM7TSYcnPi_kM49LGYK57-fw0A13-prGJU9tkgBo6Js8FQdI0ER3eNxFUdZv637GzKLCZrGva_fJ3NOh3hZVR6ENZc26NJefn1_dy-a84ALTjw0HjRWJ_2ngCfMxyInrjWvyWU2ZL1yJ4_r9c-YBFpJ0VVKyC0H1hrMzHu_A6-hb1zoO_mpiSx9LLvWRD-WxzhXqAe5wY7Dv1fYhsD3NMZpGa_a165NkJIDqRtarnIpx30TQyDDuoRnXmGPE4oe3v7U1LolbcoBEYM-4vIrMPBO3B8Vh5J3rDf9kUaiwXM5Beuai2g&X-OWA-CANARY=W3U48W4KQEicPsPXthlQt9DXpk3ypNsYoa-cYUoXDnoM_LBkVnks-WXTm199VS1LrT6rvGp_6hU.&owa=outlook.office.com&scriptVer=20230818006.04&animation=true

Resource

win10v2004-20230824-en

windows10-2004-x64

10 signatures

150 seconds

Report Analysis Logs

General

Target

https://attachments.office.net/owa/jimmir%40eltiempo.com/service.svc/s/GetAttachmentThumbnail?id=AQMkADkyMzY5ZmMxLTU3YjYtNGFlNy1iZTczLTBhNTBmMDVjMTNjMABGAAADYhk3Tp76DEicwDVyEVo4pwcAR0xPeEhykki7c7sWkXlpywAAAgEKAAAAR0xPeEhykki7c7sWkXlpywABuIFhGwAAAAESABAAlzZVH5i17UqZl8io4zSV7Q%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiYTQ4YmUzNjYwM2QzNGZmZDkxYThiNGIxZTFkNTUzMDciLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJpc3NyaW5nIjoiU0lQIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzODAxMTIwODYzNzk1NjE3XCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiYTVhM2RmYzQtNGU5OC00ZWZkLWJlYTAtYjU0OGQyMTQyNmRlXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xODAzOTYxNTIyLTc4NzA0MzU0NS0xMjUxODQyODQxLTI3NDAyMzgwXCJ9IiwibmJmIjoxNjkyOTE2MjcwLCJleHAiOjE2OTI5MTY4NzAsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJoYXBwIjoib3dhIn0.th1Cp4rb3mPaOO2kB3v_IF4rkfUEQNeZy6lDwM7TSYcnPi_kM49LGYK57-fw0A13-prGJU9tkgBo6Js8FQdI0ER3eNxFUdZv637GzKLCZrGva_fJ3NOh3hZVR6ENZc26NJefn1_dy-a84ALTjw0HjRWJ_2ngCfMxyInrjWvyWU2ZL1yJ4_r9c-YBFpJ0VVKyC0H1hrMzHu_A6-hb1zoO_mpiSx9LLvWRD-WxzhXqAe5wY7Dv1fYhsD3NMZpGa_a165NkJIDqRtarnIpx30TQyDDuoRnXmGPE4oe3v7U1LolbcoBEYM-4vIrMPBO3B8Vh5J3rDf9kUaiwXM5Beuai2g&X-OWA-CANARY=W3U48W4KQEicPsPXthlQt9DXpk3ypNsYoa-cYUoXDnoM_LBkVnks-WXTm199VS1LrT6rvGp_6hU.&owa=outlook.office.com&scriptVer=20230818006.04&animation=true

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
2940	msedge.exe
2940	msedge.exe
5064	identity_helper.exe
5064	identity_helper.exe
4516	msedge.exe
4516	msedge.exe
2296	msedge.exe
2296	msedge.exe
5080	mspaint.exe
5080	mspaint.exe
1832	mspaint.exe
1832	mspaint.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3384	svchost.exe
Token: SeRestorePrivilege	3384	svchost.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5080	mspaint.exe
3380	OpenWith.exe
1832	mspaint.exe
1832	mspaint.exe
1832	mspaint.exe
1832	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1796	2940	msedge.exe	82
PID 2940 wrote to memory of 1796	2940	msedge.exe	82
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1632	2940	msedge.exe	85
PID 2940 wrote to memory of 1752	2940	msedge.exe	84
PID 2940 wrote to memory of 1752	2940	msedge.exe	84
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86
PID 2940 wrote to memory of 3644	2940	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://attachments.office.net/owa/jimmir%40eltiempo.com/service.svc/s/GetAttachmentThumbnail?id=AQMkADkyMzY5ZmMxLTU3YjYtNGFlNy1iZTczLTBhNTBmMDVjMTNjMABGAAADYhk3Tp76DEicwDVyEVo4pwcAR0xPeEhykki7c7sWkXlpywAAAgEKAAAAR0xPeEhykki7c7sWkXlpywABuIFhGwAAAAESABAAlzZVH5i17UqZl8io4zSV7Q%3D%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiYTQ4YmUzNjYwM2QzNGZmZDkxYThiNGIxZTFkNTUzMDciLCJzaWduaW5fc3RhdGUiOiJbXCJrbXNpXCJdIiwidmVyIjoiRXhjaGFuZ2UuQ2FsbGJhY2suVjEiLCJhcHBjdHhzZW5kZXIiOiJPd2FEb3dubG9hZEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJpc3NyaW5nIjoiU0lQIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzODAxMTIwODYzNzk1NjE3XCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiYTVhM2RmYzQtNGU5OC00ZWZkLWJlYTAtYjU0OGQyMTQyNmRlXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xODAzOTYxNTIyLTc4NzA0MzU0NS0xMjUxODQyODQxLTI3NDAyMzgwXCJ9IiwibmJmIjoxNjkyOTE2MjcwLCJleHAiOjE2OTI5MTY4NzAsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJhdWQiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAvYXR0YWNobWVudHMub2ZmaWNlLm5ldEA2NWU1OGQ5OS0xNzgwLTRlNWItYTY4Mi0wZjQ3YzQ3MzNmODQiLCJoYXBwIjoib3dhIn0.th1Cp4rb3mPaOO2kB3v_IF4rkfUEQNeZy6lDwM7TSYcnPi_kM49LGYK57-fw0A13-prGJU9tkgBo6Js8FQdI0ER3eNxFUdZv637GzKLCZrGva_fJ3NOh3hZVR6ENZc26NJefn1_dy-a84ALTjw0HjRWJ_2ngCfMxyInrjWvyWU2ZL1yJ4_r9c-YBFpJ0VVKyC0H1hrMzHu_A6-hb1zoO_mpiSx9LLvWRD-WxzhXqAe5wY7Dv1fYhsD3NMZpGa_a165NkJIDqRtarnIpx30TQyDDuoRnXmGPE4oe3v7U1LolbcoBEYM-4vIrMPBO3B8Vh5J3rDf9kUaiwXM5Beuai2g&X-OWA-CANARY=W3U48W4KQEicPsPXthlQt9DXpk3ypNsYoa-cYUoXDnoM_LBkVnks-WXTm199VS1LrT6rvGp_6hU.&owa=outlook.office.com&scriptVer=20230818006.04&animation=true
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc136a46f8,0x7ffc136a4708,0x7ffc136a4718
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3479585397264387145,6139055272865732440,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2980

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\thumbnail_QIHUAIIARP (1).png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384
- C:\Windows\system32\dashost.exe
  dashost.exe {a50dcfc6-daeb-414f-a930e22428fd488c}
  2⤵
  PID:4980

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\thumbnail_QIHUAIIARP (1).png"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3590c7788f1f36717cbd298007259a6f

SHA1
9e9a602016435a1d642e18a54d8d6589f938a5bb

SHA256
09a08de2fcd19e304c3b8f6e04f5e4da257a3f18759827be4e9c6af862412174

SHA512
07df3ee7e2d4a313c996c6b8451450556a75e5ac8e4d10595f255164fdd25d6bc596ad579d90f6496c78a15a3c6fc349d748dd7c5f4b2b51d330c52577e2988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
449B

MD5
ab778f9776ea233c35c99703e77822f5

SHA1
ce893f6e47af9b0e517e2d6397c2e4b3c028da07

SHA256
725fb0667d61c86502faa0624e017851c4b9747fdf2ec34d6e0dab5991682745

SHA512
b03a6956d8fc24b30db0a8a9412a3325b5141214afb7f32568dc9d4cd74e715100452f588931c663cdf769ca7816c4dee3e373993f60014049ebdf269219610a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ac30ada366441ea6ee0deaf1a162aae

SHA1
09c21386749b197a840943a240ef9e8a48f8a9ca

SHA256
2334676896cd295dc94953f1bea848062030a0c98f87522906c9af9a78db52d2

SHA512
ea93583c62bcbdc5326c0ce809c3dd4c6bac076027b9de0405e1544fab7039d11892d364a5087108e9b6491cb627c987904ace9d4f568fb8dbcab89a4bbeb7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a6d7331cf3308238159577afbdb0727

SHA1
fe216ca218adabcb74d48693a97ae51b08d12dd0

SHA256
12a37f4f2f603bdfd1f5eaf7579fba5b965dcc625f97687882f40947b3b4f999

SHA512
d2abc2ebdb925ec4e7646d05e5530e0cddefac9cf7b1e147b6b612866c6b2b60af3995bbdbbaddcc13fb0a8a4b5576f757972e460fd31e0c359c2c43871401e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78fc55a4b063163abc6c3cedb51ca754

SHA1
43a2eee2736c0521974fb40a89cf8d2cb62e8284

SHA256
f08a0e64111057119731109df64eb59499e53dbc26943da55849ad6a7557ec77

SHA512
b2aad841feb79c7aae8f108a82f9103e6c13dea4aee35c9dcd200024488fe72973a2ca9a058fc695d521d520df4b7d72ce95f08e9d8923b987131121544ef886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a128973ca2ca245299ef7e60156b4ef8

SHA1
d39a437204591bbff98d673e6d1c4f869683ebcc

SHA256
5c6e1f3c7213460c24dc670521adbe32ec76df5e3facc0a7b92a3fa9e340b302

SHA512
bbbdbe2fae61c2a27b4aadfbda2efae2675156dcea6edb8b45fbe83f397f8a1f50d694d8bcd1f53939a277722baf102f3f80caffadfcf0ca80d7408d77d8c490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
90089acb9b828db92102d73dba5db40b

SHA1
f2a981bc42d95ecf0f0a5d6890f3168a80c4a5bc

SHA256
1d1e430c1f442f0847c25e3c78f251a6b3db70f51c8eed55194abf6e5c370b9f

SHA512
7ec6f73bf3e085de9ca78165c2a4c46ada206d6a59cc10323899d5b7e781d402ae331ff00f14c1d608a8a662d36f3987339a62f7c5a4493f7e77d70be2a73b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5888e2.TMP

Filesize
203B

MD5
ac7b5259e42b59d2511f34d420695499

SHA1
6482b4c3fd1110d9512f5dcc5fa179034064cb9c

SHA256
d68f799971c590d6ee8eed11752c937e6a6198d97677d544e60a860d3fa44ab6

SHA512
b31656c84c558b4f5f067191ab5c76413fb7a80fe079c1930b47ada858cac3cd6b87a37a06198ea7b8afa738bfcb41c1cd0d76791e77a01c3ecd2b32826b2d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af53d9637cf1f1cd1906c4d496533bf0

SHA1
7204f4e1140217f654514330623f0f7485eeb0e5

SHA256
a353197d2f3706fed22beeeae242d857fb0aee2a38997b3b9416d53e97395d32

SHA512
ed41e465232d26ddd4e524d845f2afdc551050f0407009ad3052986e079106b9d3c6b088c393a9202b243c2dba4dc9d8a621a112c10a9ee93543a97ac0ff0c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec6a06a06accaa0622227661a3dceb09

SHA1
166b8cc9be75ffd5a9e8fe08ca4c0629db73a43f

SHA256
eff14839e01f7fc170068ad49ce0d94449cded4a12cdb3db40ab11698b2c96ee

SHA512
dbff041491f9f94b54e35cfe790a54301cdafe1baf124aac1ef609b35d3ae65007de73cb514bdf52dc1a2ce574662367b60062fc24c6bc9912d0e6f804dcee5e

Download Submit
C:\Users\Admin\Downloads\thumbnail_QIHUAIIARP (1).png

Filesize
46KB

MD5
7379180e1ab3587640cc94e791d62e6a

SHA1
3ab55b86eb6432d7792d68a7be540e90f9d5c01b

SHA256
c3adb0c9685d245214721181733d8d3a0e0b09f8e5ea035db6be9ae3666091ad

SHA512
7a2f2d67f55bf4b44e6459201279cd9aba5489d1e4ccb03b84a9ebad0d7a43b054c4c209aa8697eca3d74a248cda4d4d49fe759923430ff63e0daf3c9211a324

Download Submit
C:\Users\Admin\Downloads\thumbnail_QIHUAIIARP (1).png.crdownload

Filesize
46KB

MD5
7379180e1ab3587640cc94e791d62e6a

SHA1
3ab55b86eb6432d7792d68a7be540e90f9d5c01b

SHA256
c3adb0c9685d245214721181733d8d3a0e0b09f8e5ea035db6be9ae3666091ad

SHA512
7a2f2d67f55bf4b44e6459201279cd9aba5489d1e4ccb03b84a9ebad0d7a43b054c4c209aa8697eca3d74a248cda4d4d49fe759923430ff63e0daf3c9211a324

Download Submit
memory/2124-134-0x00000274EBD30000-0x00000274EBD40000-memory.dmp

Filesize
64KB

Download
memory/2124-139-0x00000274EBD80000-0x00000274EBD90000-memory.dmp

Filesize
64KB

Download
memory/2124-147-0x00000274F49C0000-0x00000274F49C1000-memory.dmp

Filesize
4KB

Download
memory/2124-149-0x00000274F4A40000-0x00000274F4A41000-memory.dmp

Filesize
4KB

Download
memory/2124-151-0x00000274F4A40000-0x00000274F4A41000-memory.dmp

Filesize
4KB

Download
memory/2124-152-0x00000274F4AE0000-0x00000274F4AE1000-memory.dmp

Filesize
4KB

Download
memory/2124-153-0x00000274F4AE0000-0x00000274F4AE1000-memory.dmp

Filesize
4KB

Download
memory/2124-154-0x00000274F4AE0000-0x00000274F4AE1000-memory.dmp

Filesize
4KB

Download
memory/2124-155-0x00000274F4AE0000-0x00000274F4AE1000-memory.dmp

Filesize
4KB

Download