hxxps://getfancontrol[.]com

Resubmissions

09/03/2024, 18:11

240309-wsxdeseh9v 7

09/03/2024, 18:07

240309-wqtjraed29 7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getfancontrol.com

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32\ = "\"C:\\Users\\Admin\\Documents\\FanControl\\FanControl.exe\" -ToastActivated"	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32\ = "\"C:\\Users\\Admin\\Documents\\FanControl\\FanControl.exe\" -ToastActivated"	FanControl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
54	raw.githubusercontent.com
185	camo.githubusercontent.com
191	camo.githubusercontent.com
192	camo.githubusercontent.com
193	camo.githubusercontent.com
320	raw.githubusercontent.com
321	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32\ = "\"C:\\Users\\Admin\\Documents\\FanControl\\FanControl.exe\" -ToastActivated"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId\C:/Users/Admin/Documents/FanControl/FanControl.exe\DisplayName = "FanControl"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId\C:/Users/Admin/Documents/FanControl/FanControl.exe\IconBackgroundColor = "FFDDDDDD"	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\AppId = "{ff805ed4-ac28-c04c-098c-cc3bd264b027}"	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\RunAs = "Interactive User"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId\C:/Users/Admin/Documents/FanControl/FanControl.exe	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId\C:/Users/Admin/Documents/FanControl/FanControl.exe\CustomActivator = "{ff805ed4-ac28-c04c-098c-cc3bd264b027}"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32\ = "\"C:\\Users\\Admin\\Documents\\FanControl\\FanControl.exe\" -ToastActivated"	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}\LocalServer32	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ff805ed4-ac28-c04c-098c-cc3bd264b027}	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId\C:/Users/Admin/Documents/FanControl/FanControl.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\FF805ED4-AC28-C04C-098C-CC3BD264B027\\Icon.png"	FanControl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\AppUserModelId\C:/Users/Admin/Documents/FanControl/FanControl.exe\Has7.0.1Fix = "1"	FanControl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
800	msedge.exe
800	msedge.exe
1860	identity_helper.exe
1860	identity_helper.exe
2708	msedge.exe
2708	msedge.exe
2804	msedge.exe
2804	msedge.exe
2804	msedge.exe
2804	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5728	FanControl.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
5728	FanControl.exe
5728	FanControl.exe
5728	FanControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 3868	800	msedge.exe	89
PID 800 wrote to memory of 3868	800	msedge.exe	89
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 2584	800	msedge.exe	91
PID 800 wrote to memory of 3408	800	msedge.exe	92
PID 800 wrote to memory of 3408	800	msedge.exe	92
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93
PID 800 wrote to memory of 4040	800	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://getfancontrol.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa068b46f8,0x7ffa068b4708,0x7ffa068b4718
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13220099756894735640,5183732856495540273,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1640

C:\Users\Admin\Documents\FanControl\FanControl.exe
"C:\Users\Admin\Documents\FanControl\FanControl.exe"
1⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
43KB

MD5
5155b09603bdf32a86fc19ee445b3cda

SHA1
73120e4ed9db3d17f5ceb703cdecde2152f14d2e

SHA256
489af09eb5a62a6580d3bb7cf117fc70d087fd52552b6dbd0431d91e16bbe2b2

SHA512
63facb3a599f857f6f638d9a1c3ae07a0dda8b4977ff2b30a8d822b9778532f7f4dd89635744be32d1782ecd70667cd357cefdd444ce43c9c57fe1176ad182ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
93KB

MD5
231eef24776609e617845c6094f102e4

SHA1
c872926591f244650e43035e1d7590917b1332bb

SHA256
433a936b6860eae83ef8d6b74128bb286f5c2efd235d29d00138cdc32cce4fff

SHA512
35f767b9a839ffd060faaf12b7b68b29ef8b1ecc957a5eed645e7c0598078831c7f0e4e35873c3967f1126b6f10601c666f35a7ddd0bf91b483ccc5fc81c23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
680b511e5b296eccfa48eec58717fcaf

SHA1
0c83b5b7047d333ac6d39cc591de8d4c74363b18

SHA256
71ff803eb56f88ac8af39e1b1b8bfde047462c6bf039d02324e6e0f858f94651

SHA512
634367b3ad01c5ef8608db53450462f5ddc8c83976c13a68b3f29034ad9b4a49f1856b83cf8883092da0d82ecbdd68aab6b1cc849f57ee05467fe20c58cd31e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b372d40cb579afbb07384c77b0cd747f

SHA1
190bedb79dc811c4c987b60395345f6dd53a8e9e

SHA256
ec2149d08ff00b442e2371051dab21d294c8f3165e1713ef8c10dc94f6294893

SHA512
4a0767c8269e92308e3f40f533d1351230ced22d94610dd9ebf709b4d05e096ccdf74a60158934b00500f3694c3cbd5c7f3ee9942ec73d0af520c8decc39d231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a5d3dd84a5f545d552ce0bb0b82f8c26

SHA1
383ae32a52835cc006e055a5f0ea557c4c27cfde

SHA256
1c09e4164c1bf38a6c091330a03d77720581b8d24bbf446b79b1b8d6d3acf9ee

SHA512
6cf2bdf5e0bab705c8aa97ce08ec5e31f5ea1801d3040fd21602bdf12694882dc951355d2e59adb61c5f05ce4b61c3a3ebb9cc76328dd38f3e9512e022ff7a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fbba60c5fa62c52b2b823043befe40c6

SHA1
57c288d0227b8a22fb867ada628068eb4c0e9865

SHA256
c237831592d4d1ebe2fd58250cbda552178b5e0efa77f2322b1a3620ffdafeb6

SHA512
c8c372bbb2a4283e57e77af18198416ebb05f1a792ffab8c888d13aeb27981517b0c69e2f0b521993ef6f7fdf96323f3236fa9364984c80307fe9fcff67edad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1fe231c7e430eeb6b7252a3bc6bf7420

SHA1
77443250969650c3dde0177f886b67dce4b2096c

SHA256
4c8a781a4eb395ce7c51dc11393967ae11b9ebd45e4cd3a5c75fde83c088734c

SHA512
730baa53fe9f1c422cb760c92ade7a78272653996401ac5b74c15d1058c9f2f324e94fc74013f031cecec569a8f4d5916b566da2b9cdc9a069fc4251fbe64a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d86ec9fd430940bb1514d8515f1e97d

SHA1
044562e1d87f613ca5f8f1083924b814da3ca35f

SHA256
e61e39072097e412328e155d68269d7f349b285cfa4797cf3ccde4df452946e4

SHA512
838ce91241ecee2d97fbd9a6027eb1a81960652b3e0ee29949f4b6154d46075501866dc94ff75c1bfbf7f6ecb9ee5cb7f25d2be7a6961e8f341eb675daea8fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f8508f369c3c9390737b3ceee661d83

SHA1
8a9a3f3fc0d3382de4fde4ded3c5c33fbb641858

SHA256
6a8e5a6c4f2f48b2a0dc607d4b8f4618dfc6970995baaad4f8edb642317f5b05

SHA512
8be3cf678f24753cb98ba3bc5f5fb65528e8dc0ea25b529d8534f32ae4f4ccc0dd077f5d4c45f2c8db0d968b0d3e979bf1dad84156febdb6f3b7650bc3007d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
464ff7348485d556c296c2a08c0099de

SHA1
aabc450e887e689ce9bb86d5b3cb5be01d934f4d

SHA256
bd1c981103ddd3eed593e9b4d05c0eb231133693f011c6fd52ed911608f62e51

SHA512
938acdd4a36c6f75a9aad95140caf255f5b6cd6c9025a7ac03305099cc7c03cb129ef3600d4090d6ce41b1c3c9192f8f869c362c4ee78864c58d447f955f8f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4145ce07a06bccd14d2fa3b9047f6d43

SHA1
952d07806de564a75e2d2891d2e95a55866460a9

SHA256
9fe998db3a50fa5e402eed33c79c4f3a161d7d3c3aa6349089a186dfd1a3f49d

SHA512
0eb823be1f4b9b3faaec710f0023fd371ad22aed928e124160cf9c7ffb8288c87a55df80ff1dfe59321344cffc46dcfcc13232efbd6679b83cc98e292625c5ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
97f2d00e51420534f1966343937b7502

SHA1
79de19240ff48e374af8f12e16e4b0e4aea2b0bc

SHA256
028759f2c015116f720eda53cc3ef6f0b5ce718c6ed1c42b40590155240c5abb

SHA512
26184ee331746d2a0191f15219881dd26e803aa8f4e14f709feb6e86f8229f7af8237a4fa53f73b03a7af4be55b98c406954c03e439a27e976dcae4601709aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Filesize
36KB

MD5
e70141c0b164644277668182d9b26e28

SHA1
60ce09c88c9e59369eea073852a05e2fdf00bd75

SHA256
e77dc322f858325a4d753574660a7e54f51495c533eb3c05111b7a20d34afa83

SHA512
e5176e8be1675d85093dee19cc5bb271ee9b401cc2f65a316b53a6032d194fba85c67a848e37d64c749c3fe88f4207a17d93fe34f8451431c06c55dd7de11059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Filesize
66KB

MD5
e50a44b630f6d4aca779e12ad454e0ae

SHA1
9eedd1efe490959f3ffa723b6d927cf99e36b2aa

SHA256
90a860d289beb0641fc21a1510c391bce6e6ba4f86704956486e3ef721f8e761

SHA512
1c7887c7147f13df7c6fa685cf7de41e074096dfb3227969b2d932f713a323c45d0df0f7827e901395c434f8a51737c297b4cc5c0d05c61d6c159a0dfedb185f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
12bf5a5c53fcf862cf3d9fa8f3a05b01

SHA1
da3c2519084e26c927c88c3fba8b8c792f7751ec

SHA256
79da513134e9e8b9ac599b08c146f975a77aa219339990229ff26f2574da448f

SHA512
41f7bd4b17c8c530494c1d18eb638092123851cd52ed501e6e3b644c5aa52474941a953b6e9eea765c390f4dae79ac3a2b2c7dfae66853bdabbeb0ec1d50c8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578f30.TMP

Filesize
48B

MD5
7751e2f7036b629195148061e1d2cbe5

SHA1
1bdc515b5c8b3cbb3b114b8d0a3466440a0309c7

SHA256
44bbc66e353e9954f1b119a078dfa1f3c885806cccc989f0fed5830c13acae61

SHA512
71846cfc43fb5b718692dcd98efdf295576cce940695a1f300f8f4fee95a2da29bbdcc8815d3305ea70c0f3e7bf5a685aeee40609ded4217f83baae7a05826c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5360b3f7fe26d40a08a32dcad207e6a4

SHA1
d21c164e7f432ea44bd64df2bd0aa0b4c3d6b949

SHA256
331a62a29cba07095f1e06c907c1c35f1945000f26e8d729a0185ae13ab0c052

SHA512
c5926a108ec19b1447c95a85be640250442d472331c8eca2542e132708f6874b9ea79359983e158d53ab9d7de79fae0567335fa837f4ff381c0460001b9ce18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2996c9bdf31751c4ceb66f0a49db2ae6

SHA1
03eb97fb72d999d81d81e76848d8aa40932be871

SHA256
1f5bcdbcc3793cf20b8ba858afb5037b108cec1999fec80a30178bea7395e4e4

SHA512
89d78b8cb6b6c11f32aa76280bb70fa76bb194207502af8befddbadaaad6f18113a22381126eaf06b06e5983be1aba446ef556c2e7e30db3e0bf82d8298e2d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586721.TMP

Filesize
706B

MD5
be77c90a29188a8105a54431646a2fe1

SHA1
f106f8616d0a2b6ab62385e6629fdb2c8f6eeab3

SHA256
7d44f906fb96755a923961b2342f0b207e604d8a28296cc3d8ae406678c266d8

SHA512
1abbc8677c87d8545315643a922b4c5e2eef3482e08105515b984ba1ca5384aa4c7e88368ca302b30e0d0910696ef7968017d3c73e9ee67dde5f2f799904e4be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d34833e5bfd62c71e3a11ea2513ff03c

SHA1
41f7e6bd45c0b78a32376f543e97d530f2659bc4

SHA256
47245a57e5a42e3ac0b0626d15888cbebc5659d7b1fb947ec53f0a0223b37c63

SHA512
bc52d9573511acdbbeb2d2b73b33bef62125071b6286105ddfb0a83b4996d31e0439954f8386dcb6ba343d410680bfa5e17eaf2d79eed0726aad71641e4ccca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9bf259e9902fe35207e11b9790eff1d

SHA1
bff4f06e6364914ddcc4eb476b1090da80a8dfac

SHA256
e31537955fe406cf3a8504480ae00caba44635d66e2342904e52821ccbdde40c

SHA512
a28bddaab82736c3942b86a3c8446284d9bc58b8b32e647b55f07765139127e1cdccd0b4a8c67f0f511446f8df6da135af08918bb07bf59061827476017c03c8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 615910.crdownload

Filesize
6.3MB

MD5
87d0d463add5af5133b4d78e8478e98b

SHA1
0a42a0f29e732454fcbf9b4f87a89045fb9f5415

SHA256
e08692162cc3ed0f98da09c8aaff70812b6875569af15832c138b42c0fba30c2

SHA512
a9ed9e9fbbba78f43ebd511c171bbecedfacbcbb8d408abec083625e2f711e121d1885e7cf9b66515d389ea1ae5cc8ca8a42715b0e365b2f42959b8be6140842

Download Submit
memory/5728-460-0x000001B8A0DD0000-0x000001B8A0E38000-memory.dmp

Filesize
416KB

Download
memory/5728-473-0x000001B8A0CF0000-0x000001B8A0CFA000-memory.dmp

Filesize
40KB

Download
memory/5728-450-0x000001B8A1420000-0x000001B8A1D4C000-memory.dmp

Filesize
9.2MB

Download
memory/5728-451-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-452-0x000001B8A0C70000-0x000001B8A0CC0000-memory.dmp

Filesize
320KB

Download
memory/5728-453-0x000001B8A0CC0000-0x000001B8A0CE2000-memory.dmp

Filesize
136KB

Download
memory/5728-454-0x000001B8A0D60000-0x000001B8A0DC2000-memory.dmp

Filesize
392KB

Download
memory/5728-455-0x000001B888280000-0x000001B88829A000-memory.dmp

Filesize
104KB

Download
memory/5728-456-0x000001B886980000-0x000001B88698A000-memory.dmp

Filesize
40KB

Download
memory/5728-457-0x000001B886990000-0x000001B88699A000-memory.dmp

Filesize
40KB

Download
memory/5728-458-0x000001B8869B0000-0x000001B8869BE000-memory.dmp

Filesize
56KB

Download
memory/5728-459-0x000001B8A0C40000-0x000001B8A0C52000-memory.dmp

Filesize
72KB

Download
memory/5728-448-0x00007FF9F0FC0000-0x00007FF9F1A81000-memory.dmp

Filesize
10.8MB

Download
memory/5728-461-0x000001B8A0D10000-0x000001B8A0D26000-memory.dmp

Filesize
88KB

Download
memory/5728-462-0x000001B8A0F00000-0x000001B8A0FB2000-memory.dmp

Filesize
712KB

Download
memory/5728-463-0x000001B8A0C60000-0x000001B8A0C68000-memory.dmp

Filesize
32KB

Download
memory/5728-464-0x000001B8A0C20000-0x000001B8A0C28000-memory.dmp

Filesize
32KB

Download
memory/5728-465-0x000001B8A0D30000-0x000001B8A0D48000-memory.dmp

Filesize
96KB

Download
memory/5728-466-0x000001B8A0E70000-0x000001B8A0E96000-memory.dmp

Filesize
152KB

Download
memory/5728-467-0x000001B8A0D00000-0x000001B8A0D08000-memory.dmp

Filesize
32KB

Download
memory/5728-468-0x000001B8A0EA0000-0x000001B8A0EBE000-memory.dmp

Filesize
120KB

Download
memory/5728-469-0x000001B8A0EC0000-0x000001B8A0EE2000-memory.dmp

Filesize
136KB

Download
memory/5728-470-0x000001B8A0FC0000-0x000001B8A0FD4000-memory.dmp

Filesize
80KB

Download
memory/5728-471-0x000001B8A1030000-0x000001B8A107A000-memory.dmp

Filesize
296KB

Download
memory/5728-472-0x000001B8A0FE0000-0x000001B8A100C000-memory.dmp

Filesize
176KB

Download
memory/5728-449-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-474-0x000001B8A1080000-0x000001B8A10A6000-memory.dmp

Filesize
152KB

Download
memory/5728-476-0x000001B8A1100000-0x000001B8A1108000-memory.dmp

Filesize
32KB

Download
memory/5728-477-0x000001B8A2160000-0x000001B8A220A000-memory.dmp

Filesize
680KB

Download
memory/5728-478-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-479-0x000001B8A2210000-0x000001B8A2288000-memory.dmp

Filesize
480KB

Download
memory/5728-484-0x000001B8A0D50000-0x000001B8A0D51000-memory.dmp

Filesize
4KB

Download
memory/5728-485-0x000001B8A2350000-0x000001B8A240A000-memory.dmp

Filesize
744KB

Download
memory/5728-486-0x000001B8A1110000-0x000001B8A112C000-memory.dmp

Filesize
112KB

Download
memory/5728-487-0x000001B8A1F00000-0x000001B8A1F32000-memory.dmp

Filesize
200KB

Download
memory/5728-497-0x000001B8A1130000-0x000001B8A1138000-memory.dmp

Filesize
32KB

Download
memory/5728-498-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-499-0x000001B8A1140000-0x000001B8A1148000-memory.dmp

Filesize
32KB

Download
memory/5728-500-0x000001B8A49A0000-0x000001B8A49D8000-memory.dmp

Filesize
224KB

Download
memory/5728-501-0x000001B8A1EA0000-0x000001B8A1EAE000-memory.dmp

Filesize
56KB

Download
memory/5728-502-0x000001B8A32E0000-0x000001B8A33EC000-memory.dmp

Filesize
1.0MB

Download
memory/5728-503-0x000001B8A31E0000-0x000001B8A31EC000-memory.dmp

Filesize
48KB

Download
memory/5728-504-0x000001B8A31F0000-0x000001B8A31FE000-memory.dmp

Filesize
56KB

Download
memory/5728-505-0x000001B8A33F0000-0x000001B8A3496000-memory.dmp

Filesize
664KB

Download
memory/5728-506-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-507-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-447-0x000001B886210000-0x000001B886544000-memory.dmp

Filesize
3.2MB

Download
memory/5728-517-0x000001B8A76C0000-0x000001B8A77C2000-memory.dmp

Filesize
1.0MB

Download
memory/5728-518-0x00007FF9F0FC0000-0x00007FF9F1A81000-memory.dmp

Filesize
10.8MB

Download
memory/5728-519-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download
memory/5728-520-0x000001B8A0AE0000-0x000001B8A0AF0000-memory.dmp

Filesize
64KB

Download