kinsing | hxxp://youtube[.]com

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://youtube.com

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

151 5360 powershell.exe
153 5360 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

152 raw.githubusercontent.com
153 raw.githubusercontent.com
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3304 sc.exe
4008 sc.exe

flow	pid	process
151	5360	powershell.exe
153	5360	powershell.exe

flow	ioc
152	raw.githubusercontent.com
153	raw.githubusercontent.com

pid	process
3304	sc.exe
4008	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{01621E72-B161-41B3-8EFA-C8FBD7E25B0C}	msedge.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

5648 reg.exe
2824 reg.exe
3912 reg.exe
400 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1244 PING.EXE

pid	process
5648	reg.exe
2824	reg.exe
3912	reg.exe
400	reg.exe

pid	process
1244	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exepowershell.exemsedge.exemsedge.exe

pid	process
4968	msedge.exe
4968	msedge.exe
3988	msedge.exe
3988	msedge.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
5904	msedge.exe
5904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEpowershell.exe

description pid process

Token: 33 3528 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3528 AUDIODG.EXE
Token: SeDebugPrivilege 5360 powershell.exe

description	pid	process
Token: 33	3528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3528	AUDIODG.EXE
Token: SeDebugPrivilege	5360	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3988 wrote to memory of 1672	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 1672	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4292	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4968	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4968	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe
PID 3988 wrote to memory of 4448	3988	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff20d946f8,0x7fff20d94708,0x7fff20d94718
2⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
2⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3464 /prefetch:8
2⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
2⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
2⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
2⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4756 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7242539055321221865,16151397736018260435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_82148513.cmd" "
2⤵
PID:5936

C:\Windows\System32\sc.exe
sc query Null
3⤵
- Launches sc.exe
PID:3304

C:\Windows\System32\find.exe
find /i "RUNNING"
3⤵
PID:6132

C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_82148513.cmd"
3⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:5476

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:5488

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
3⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
3⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
4⤵
PID:1712

C:\Windows\System32\cmd.exe
cmd
4⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_82148513.cmd" "
3⤵
PID:5516

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:5764

C:\Windows\System32\fltMC.exe
fltmc
3⤵
PID:5908

C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
3⤵
- Modifies registry key
PID:5648

C:\Windows\System32\find.exe
find /i "0x0"
3⤵
PID:848

C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
3⤵
- Modifies registry key
PID:2824

C:\Windows\System32\cmd.exe
cmd.exe /c ""C:\Windows\Temp\MAS_82148513.cmd" -qedit"
3⤵
PID:5348

C:\Windows\System32\find.exe
find /i "RUNNING"
4⤵
PID:2928

C:\Windows\System32\sc.exe
sc query Null
4⤵
- Launches sc.exe
PID:4008

C:\Windows\System32\reg.exe
reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
4⤵
- Modifies registry key
PID:3912

C:\Windows\System32\findstr.exe
findstr /v "$" "MAS_82148513.cmd"
4⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
4⤵
PID:5796

C:\Windows\System32\find.exe
find /i "/"
4⤵
PID:5804

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:5468

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
4⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
4⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
4⤵
PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
5⤵
PID:5548

C:\Windows\System32\cmd.exe
cmd
5⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_82148513.cmd" "
4⤵
PID:1976

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:732

C:\Windows\System32\fltMC.exe
fltmc
4⤵
PID:720

C:\Windows\System32\reg.exe
reg query HKCU\Console /v QuickEdit
4⤵
- Modifies registry key
PID:400

C:\Windows\System32\find.exe
find /i "0x0"
4⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
4⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
4⤵
PID:368

C:\Windows\System32\find.exe
find "127.69"
4⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
4⤵
PID:5392

C:\Windows\System32\find.exe
find "127.69.2.5"
4⤵
PID:1896

C:\Windows\System32\find.exe
find /i "/S"
4⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
4⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
4⤵
PID:4228

C:\Windows\System32\find.exe
find /i "/"
4⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
4⤵
PID:4072

C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
5⤵
PID:4544

C:\Windows\System32\mode.com
mode 76, 30
4⤵
PID:5208

C:\Windows\System32\choice.exe
choice /C:123456780 /N
4⤵
PID:3848

C:\Windows\System32\PING.EXE
ping -4 -n 1 updatecheck.massgrave.dev
1⤵
- Runs ping.exe
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
df791c840c557bed0600326a6036b8ba

SHA1
218c886a3210f0673f9439ed27968a0783b7acdd

SHA256
26d50105b3b5136bef1f33e9ac05dc4902f25f178afa57d853542c60bfdca3ef

SHA512
d8bdbd03c88c4fabbf429fe20810fa0924a4d63ebedef6487bdb4398c790597b644067f744644742abec458137a9ae23901063653a52a82b6e6bab78bc5593f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
030ac5a3fe5914d5594e576d6f26e125

SHA1
1d146a425cc1ed6a2a584fca18c669a984b05b0e

SHA256
d16b38279e36e42c7868e3ec8bf986e2a3a389b482da601ab57174f349608c41

SHA512
8ad3e3d1b665445a8f43aa9876ca0e47d7d3ed9f18c89ee1d994c4a7abc79d59a8afd76b9ac935f53d3a896a76eb1e109e2a735e09f9e243764e94ac99cf85ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
2c3f88e67b85de132e62eca7e73a26c7

SHA1
70efaf9bbb989ada4f7b66175e312212973ebcc5

SHA256
4b35ad34cfd09291bb67e3c194810a0e9d658d4b475c9995ea846c5f32afb73e

SHA512
0e602733e651e84dbc8e8201f4802a3e0666382623b5752f6ce859b30b08807cbbfb7948da5c36ef32f0cc47ee1791005e6e159f8262b953815ff77fdbfba974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
11e11339bc87d4858fddaec161436472

SHA1
19b81419b000249f81c234e63d01c495310b7d1f

SHA256
d485821f984fc18ff03204db18f563e54d005ea44e4bcd33addc28e183c50cf3

SHA512
4a52111b1eb8b4813188f8d294c5b42d321620800bbaddcb1c23d2fff11cafcfc6f8d93dc94f180ae1e85a5c07be0b39c73a334ba68cf8f8c061349416549b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d383f96ff60e3c1683facd2f27d35cad

SHA1
40bbec5fccfaa3a1b7a6ff5d2771dee76989326e

SHA256
705e5eb80001a4b749a0270d3f613edbd1e74efb8f45cf4995af0ccaa1da09a2

SHA512
a534dbbecc06bef4c9987aa8c67f256cc11230924901cc056bd4fdf5640d94c664adad5e7c34d3b54504a23bc2a8eb93a3d0b8a85dab0266a948af3be122a3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c38aaf738054c61510e3642af8bccdf6

SHA1
4fce10a1f514068501665112e2c19a339ec719a5

SHA256
84731edca93e8c114362d7e64141ea156b8a8e850e0c57b7c6f1bc4578bac2ea

SHA512
22f966e305d232eef24cfca14145b38c560a3cf7f4f524cfa7a731e5aab4e9b961b1e867992a962b22d8229404347586b186e590c425794a2ddc62961a4fff44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\958a9ec1-89f2-4ed2-bc3a-728a3f915673\index-dir\the-real-index
Filesize
2KB

MD5
8cbc3c06f411167dc6cbe36259cbb758

SHA1
54868b1aba9fb3c72393f2e0f29cbc18c92a2998

SHA256
a95b1e37d43c7550bb9a364df3d55ecfb00ef67315cee025ca5b553d8fad5088

SHA512
0c6b3ae74bb05aaa164b9faa32bf198f681595701cc006ccff527f77d939c6518663c9e083a8c0934a377652ad86bd1b98325a4ce7bd330c3e2c0a30354b182f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\958a9ec1-89f2-4ed2-bc3a-728a3f915673\index-dir\the-real-index~RFe57a7aa.TMP
Filesize
48B

MD5
afb7d5532358a1e3d8746b2f1ed59950

SHA1
c5368f4a47b434d769ab7d96203c24f801bc46ae

SHA256
1c8306d39140b4fe4fbe0f851300f8a4d3afb4f6fcbb252079ca135126123bb3

SHA512
285dbd4ccb610fe83fe4592f341a770e56442c65fb6005a6d77f2cabac4e1805d1f9846e5a253dc1b4d1d3c281c3bd17104d6389dbbca9f3d934c7a3d7131c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
cc4bb88f4f47dcfb0a32e2db8651b6bb

SHA1
8f41fe77d0075ce13865f4a0201070772b00a5a0

SHA256
806be9366c1f6a913e06ef77ff37aa6d3f4022437cae86cdc71f3dbcad020fbf

SHA512
89f2bf35cf82905db8a6a988ee7bd7b41ed8ee7bc15aadf96fb6603ca453d9ae65d9f05b35cea536d71ad3135eadd62c00e6b4c26ab1defecfeae68b6daa8821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
3f5fab1492852bc7e82b2fcc8c55702f

SHA1
747bd0d9777d26ce132949ab175ce2003e45ed48

SHA256
4f7b1bd5ac2f4c789aace855349cb5dd80a6ead8a6859cc22bef063533fdc1c5

SHA512
afe78c0eb87fc40290a870166993175135d1a8e63ddb64cbe89df6bdf921b9f86bd69e7722e7841aa9afaee708e50e4efc37313a39f43e85d362125ca8e436e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
60ef7d937cb2285ebee4af47a2f00f26

SHA1
181fee7561124a18dbded53bc467eec51b215a5e

SHA256
e10769f31cec55dcfdeb9e7e9c3da47d81f6470507ce7452f7b119941cd108ad

SHA512
ac4d320ec9c89eb33064dc7e2671d6f28842a0203262cc1bc9936102eb0f34411c007e48877aecb64f37fae44d60d0985c3dd2eb7def17891b8f2a3aba8703fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
84B

MD5
910088e3723e97cbe588efab5107085e

SHA1
d2a295e8e6f6b793e6a93b5c01439dc440d6088a

SHA256
e347040a0385cb3b80b434e1871a7275da8aa77866258a23f1d045cfe237bf4c

SHA512
d1cf50c3b5a26c2851f7e93c57111d88ec9cbee2271c8cee487ab2921f08030a2a147e126b68906250d482ad17cc0c6e3a840bb064f16c1ebee17687fc012201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
2aa17a87910d2388f0b170da7b097608

SHA1
7f4cf4dbd35ea7c2c1d032448eda0d536e3e82ea

SHA256
898c6e435f61d7c50ef4902558c72533b65b03beb0d8957e0bd98736942ee64f

SHA512
e441934911ec3d26fca6b74c43ceedb6c05c45648710425a753d8903f350341bf31b4591f679ab08d6eb3c0bd49e72c2c7af4f5ea31321f705b5882c71a717c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a316.TMP
Filesize
48B

MD5
50139402fdb18640b1ab4ea284d283ae

SHA1
9b5fd052e1be45b9215f4bd8bc79d47ff283f4f7

SHA256
4bc3dd4004033ea8c43308a34f88b3a7c4703641cb6525f6789b72b97ddd7281

SHA512
16e0b3680906b3256846db1cd950e092c1d73b49aaac404ae2edcce4e3dd8bbc50d3fe2d4b43b5f843e7601cc0cfe9762b3bcfcf1f422491bd25aa772e67a5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c16ff03528d799cf3426fd8606559102

SHA1
9c3996cb5a9c9c258ae956cf8f649584d05dd78e

SHA256
724851e603ebb0c2dd780b64c29b241d0ee5d6bc5c77c41476da059b569a71fe

SHA512
20c3ff21eb100677359489acd224730ee37017a6ef7dee275222264179c61c66cac3e0c4771c4b830cdfc9c267bc5360239314911615b851214d60d15fe10115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596fe7.TMP
Filesize
706B

MD5
630dd4e2f36cc904ca339a071f575f5b

SHA1
47cfc384a766bd5a0d07d96d1e1697450fb4ebf8

SHA256
6864fecd6e002946090f1842e79585ab973441b5bd8ddb133431680968c15b76

SHA512
86f6d1201124e43ada39ed33df066681b37949136ca293c4d2d4304703708e155b6a0513f1adbd10b2d4e7d15e5c6053718b8b65c8bb49b3b53d8cd28634e6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5cac17dc83e50485e9fde412014ffcc7

SHA1
4e1478429177440c79a94dd22f065645d472a833

SHA256
62ee2daed506d59154fd1276dc683d2728fe1498c2900a6f7b22a0cd6165660d

SHA512
da6b0a41d0c307c9eeb85cf9dae172c8818935f3b926fbfb9c0d4eef4134566093242e6fc4e56822b473f3977ce4f02efa5584ae094489c39d59066f98e6de38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
f07ddc993b403888a787ca6406efecb0

SHA1
c0f6dd6f6206daff727c9c47277e0c9a3daef85f

SHA256
8913aa9c7f9aa54e591d5596b6feff1c72eaa593af143c74d86bcd80b9a8c3ba

SHA512
37d114763b9299729ce0b37ffd4b9118c3cd8810c64d35fdf8e69cfba5586c0812458031d9a65fca597b69c624b17171ddf7301d7ed89c0176864bdcc1ce2a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pzhsu23e.0tb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\MAS_82148513.cmd
Filesize
435KB

MD5
0e6ce6cf11922b9c4f6e7f0cf315d0c6

SHA1
71d7329bab1994b4eb86a25ccef49bfafa93575d

SHA256
71ba68a8501bf4786f71e6f36dc8a38f3d8aa4852d1491faebda280769216988

SHA512
f05881202b4bf13ab1096909a71edcbd0ddbb6fc417d26be1eb102c2f08b28568209ddb05918c7cf98ec65808a504bc670d3c4cd1a7986c0c1c6c12d05089bc8

Download Submit
\??\pipe\LOCAL\crashpad_3988_RXJHZWMDOBFGWIIE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5360-327-0x000001637F2C0000-0x000001637F2D0000-memory.dmp

Filesize
64KB

Download
memory/5360-309-0x000001637F6C0000-0x000001637F704000-memory.dmp

Filesize
272KB

Download
memory/5360-308-0x000001637F2C0000-0x000001637F2D0000-memory.dmp

Filesize
64KB

Download
memory/5360-307-0x00007FFF0DB00000-0x00007FFF0E5C1000-memory.dmp

Filesize
10.8MB

Download
memory/5360-310-0x000001637F790000-0x000001637F806000-memory.dmp

Filesize
472KB

Download
memory/5360-306-0x000001637F300000-0x000001637F322000-memory.dmp

Filesize
136KB

Download
memory/5360-322-0x000001637F2C0000-0x000001637F2D0000-memory.dmp

Filesize
64KB

Download
memory/5360-588-0x000001637F9E0000-0x000001637FBA2000-memory.dmp

Filesize
1.8MB

Download
memory/5360-589-0x000001637F2C0000-0x000001637F2D0000-memory.dmp

Filesize
64KB

Download
memory/5360-321-0x00007FFF0DB00000-0x00007FFF0E5C1000-memory.dmp

Filesize
10.8MB

Download