mystic | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe
Size

781KB
MD5

3a159d3beb7777641ab405302ccba736
SHA1

b6a12d0f32715e58738f68fa9c35d2a3d72c644a
SHA256

b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5
SHA512

47990c1d4cd78861cec2d317eb556aacd3bd7c8d33db68e9d2dc3eab5eaa89bb874faca7a97447a36dbd553df4acda4f41d487c2175cf5325297e10a7e6738ca
SSDEEP

24576:dyYQnSunE/aeuIsSC/GRLYD3kYUiTPMtXXV:4zn+ietDEGKQGQtX

Score

10^/10

mystic smokeloader backdoor paypal persistence phishing stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral15/memory/6744-170-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral15/memory/6744-173-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral15/memory/6744-171-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

hU8Dd26.exe1Al31ID0.exe2SH2432.exe7LH35mD.exe

pid process

3944 hU8Dd26.exe
4972 1Al31ID0.exe
6272 2SH2432.exe
6768 7LH35mD.exe

pid	process
3944	hU8Dd26.exe
4972	1Al31ID0.exe
6272	2SH2432.exe
6768	7LH35mD.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exehU8Dd26.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hU8Dd26.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Al31ID0.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal
Suspicious use of SetThreadContext 1 IoCs

Processes:

2SH2432.exe

description pid process target process

PID 6272 set thread context of 6744 6272 2SH2432.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 6272 set thread context of 6744	6272	2SH2432.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7LH35mD.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7LH35mD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7LH35mD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7LH35mD.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5040	msedge.exe
5040	msedge.exe
776	msedge.exe
776	msedge.exe
3820	msedge.exe
3820	msedge.exe
2580	msedge.exe
2580	msedge.exe
5252	msedge.exe
5252	msedge.exe
5884	msedge.exe
5884	msedge.exe
1680	identity_helper.exe
1680	identity_helper.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

1Al31ID0.exemsedge.exe

pid	process
4972	1Al31ID0.exe
4972	1Al31ID0.exe
4972	1Al31ID0.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
4972	1Al31ID0.exe
4972	1Al31ID0.exe
4972	1Al31ID0.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

1Al31ID0.exemsedge.exe

pid	process
4972	1Al31ID0.exe
4972	1Al31ID0.exe
4972	1Al31ID0.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
4972	1Al31ID0.exe
4972	1Al31ID0.exe
4972	1Al31ID0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exehU8Dd26.exe1Al31ID0.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1524 wrote to memory of 3944	1524	b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe	hU8Dd26.exe
PID 1524 wrote to memory of 3944	1524	b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe	hU8Dd26.exe
PID 1524 wrote to memory of 3944	1524	b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe	hU8Dd26.exe
PID 3944 wrote to memory of 4972	3944	hU8Dd26.exe	1Al31ID0.exe
PID 3944 wrote to memory of 4972	3944	hU8Dd26.exe	1Al31ID0.exe
PID 3944 wrote to memory of 4972	3944	hU8Dd26.exe	1Al31ID0.exe
PID 4972 wrote to memory of 3820	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 3820	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 3896	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 3896	4972	1Al31ID0.exe	msedge.exe
PID 3820 wrote to memory of 4932	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4932	3820	msedge.exe	msedge.exe
PID 3896 wrote to memory of 788	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 788	3896	msedge.exe	msedge.exe
PID 4972 wrote to memory of 2732	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 2732	4972	1Al31ID0.exe	msedge.exe
PID 2732 wrote to memory of 2916	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 2916	2732	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4632	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 4632	4972	1Al31ID0.exe	msedge.exe
PID 4632 wrote to memory of 2772	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 2772	4632	msedge.exe	msedge.exe
PID 4972 wrote to memory of 744	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 744	4972	1Al31ID0.exe	msedge.exe
PID 744 wrote to memory of 2012	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 2012	744	msedge.exe	msedge.exe
PID 4972 wrote to memory of 4780	4972	1Al31ID0.exe	msedge.exe
PID 4972 wrote to memory of 4780	4972	1Al31ID0.exe	msedge.exe
PID 4780 wrote to memory of 632	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 632	4780	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe
PID 3896 wrote to memory of 2260	3896	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe
"C:\Users\Admin\AppData\Local\Temp\b108a8edf956b42b12ea1c64e4706dd94bb85d9796bbc155ff54e0cc26578df5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hU8Dd26.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hU8Dd26.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Al31ID0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Al31ID0.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
5⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
5⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
5⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
5⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
5⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
5⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
5⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
5⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
5⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
5⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
5⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
5⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
5⤵
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
5⤵
PID:6360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
5⤵
PID:6512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
5⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
5⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
5⤵
PID:7032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
5⤵
PID:7064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
5⤵
PID:7084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
5⤵
PID:6192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
5⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8220 /prefetch:8
5⤵
PID:6932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8220 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
5⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
5⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
5⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7676 /prefetch:8
5⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
5⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,4740441798630272855,7144064342462997073,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8688 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9971809582406043979,2599498529597957662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
5⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9971809582406043979,2599498529597957662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,6389120437672045083,14345634804715034084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,2716101865923309238,1442541873302354768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,1164616656936105563,13844894860172464461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x104,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcaa4546f8,0x7ffcaa454708,0x7ffcaa454718
5⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SH2432.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SH2432.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7LH35mD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7LH35mD.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2563847f-3720-4ad8-b83b-42e1607b39de.tmp

Filesize
4KB

MD5
5eb6f267084eb9b3cd3d749d1e13db17

SHA1
8cb3ea86ceb3cdad75c35feec82ed68f04fdd790

SHA256
05667ec9159ba4fd77de904ad53df9e12efdc7098551f2f8f02f7c5f786e12e8

SHA512
b33bd99319b3e17c8eda0baf184ee2a9f0c8bc03d8c40da686ad44be41431575e82e786d02d4fd6ab9aa5c41d49837ecfba09c2e4dacd03c1e7c3b09b9078e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
27298f75c766bcd7c1b8b2049c24d67e

SHA1
eb1ee78603935809250e267faf6a3bea32a822d4

SHA256
fc7d7b93b51b7560e1131e4bf3f7d63c573b9c376bcef66ff1ed6a6ec0105385

SHA512
75e82ab72dc6517d63d2c3a787ba08c28664c9f68928f9107ec6ea1cc0341bb4365383f94030210d41b1e56a960fa0e96e1c0ad0de46cf85d17e332c247bfcd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
09f1a8f3ec1bd53182792bacb2ea70af

SHA1
98ca11dbfd01c2691cddd25f56bdb06ae3cc5a88

SHA256
d2ad8b778b66390e485c9d92f833e21db23528d0fe9605ed7c310603253082b3

SHA512
458655963ab09f6d35fb23cd94485f4d00d5e2bc902ca72b5ce9322f140eb2d0b5d0dcb26eea938bb52b784e12c99264f8f254cf96996e8ba94acfa5077fe990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
00c474aed0af5e8394b9bfbe9a4b444a

SHA1
6d42ff1cf5929adab266a0ec878c5a34a046554a

SHA256
cf259e6ca293b6fea0a3feb916b60f82d0460c8927a8e83fbce8d0bd775c921f

SHA512
8aecd6078eb03f8cd5b3cc2f0064129aa06b2dac3c83ca7f9964993686b8a48778c0c841e783b0a9fe4ebacb23d6650e7bab34f4ef96f5afcd1805e827813ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
057fa4f6e61ef60b21aa604c8de866eb

SHA1
ec2a07ea81bda3eeedd6e83464967ae82852ee15

SHA256
0b4990b244c42b5048d195ef24e001710ea7fba418f82d1826cd52ede471e60c

SHA512
db7b677d5703f144ecdafe893b9451c0dbaa70329635699d93385ffb723d5b52e93868b347a8c58368bc961a7617b330d63859902deb6072795854e68cad7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
007b702c15338661a9fdf406e9d21661

SHA1
08b633da3864dc9f036668117b1b75af75b9530f

SHA256
a45c7b8af2841ed16176a371aa21ca8111079886edbd1676cccd312eb1fc3c9b

SHA512
4d90fc651ae6dfe6e2a78a029538f715a990efd99332cb97bf128df7e12c63331c4133b0f31395ab837ea69c61640cb7b7d6a9eac730cdb9e1f9a6930e2af142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9406419edd79244695ade5f9c6dfcfc4

SHA1
894fe686f1eb386c946f3c0d57aa875443cd131d

SHA256
3c4592529bb4d2071b7e8251c99200be7ba8e8146adb42b20820413e991ae462

SHA512
cd61674f903b4011ed15a208cef2ae449c55fc26e3c69e03bf0175eddf08ff3e039d4a09729578bed033a9232ad2f5b211b3d5b3f41001f8e72dfd64233226fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
94a0b796b8eca87960750168a1ab0c5e

SHA1
1d5d1544e8779f8b36438e38e38db4e93ff1e99b

SHA256
3977583c6581beaa9ceb3f658ec6821dc81832ed7da685be21d5a2b43cb85307

SHA512
c7ba3f939189a55d7c530045ab47dcb3e6f3ebfc820da8079e4387b37c1500c47d6c62b02bcf41e120ad44e42ac73cc09488e940cf865e2ad9a0845a275bd191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9f380b14c183b6dedc8a0bc1f9959481

SHA1
ba3a33b07f79f722c2a9119dbcf6a370045c56db

SHA256
b4966486e60daf281724a89721bfda86757dc0117b7f91ac26b408d30499a26f

SHA512
2d04fca5162ec2fbdca8834d5f319354e06cc9201ca3928fef667c507ef1becfcd48c535a1a3abb32d2aacdb80388c737c995b1e576c06ea11c6c649ef5522bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
fd3d20075a367384273e44cd0de27da4

SHA1
16ce0c89ef1ba0b46ca51e6b1f354873d01c980b

SHA256
a28d0288ecc5122d17425e93267359f1f00a86812f700d1d8a2b5e0ed78a9fa8

SHA512
7449efb3fe53bfbefe62aac99c8bf967c81f94aa0e61da74b6c13ec63f9b384b6017de163b121ffc037368c021c772fda372dc7b56f1a9a8adbc53bdc24f93af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
8fc8f954f965ddab75016576fbc714de

SHA1
17695f47bb84c9a026b7105f1acd5c4d05dfc54c

SHA256
9f3aaf3f5865669f863d996a962c9448baa217907b59279497140fb077d19aa6

SHA512
99204a9f321f59a6578aca6091c3c72266e2337a7d4cd062c032a48bad671c0f9625aa358db3b4d2bd4214f9448ea7f35c259e92764bf7383e5c11cd5b6e812c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
bcf4a1bec2bd199833d305f6ea53db3b

SHA1
d4c16574e38ed732c0ff5a1fe1c4040dd901f0a5

SHA256
16937afd627917d5d0a655e721c65dc9995c0ee101fff5a3761920dfea7a8c45

SHA512
9bf79c1ac14571daf9ec958d333e225333eb8c98c1c57cdba900253329419cc618a109a846c65aa385028902d636a52be8ba8c44b2de8f9293a929fa5c484bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d99adf0b2a5ccb1432a7882ca3fefe0c

SHA1
488e624bb91ce044b736a54c7a4fb5f180bcbdfc

SHA256
1729965e701e681ba77bb9b3ba756bde42e48fb7ad75e92afac0f9a95db9def8

SHA512
bb3f78845f3de379eca33e65df071fd151b9e75671c553a9e8b76c359d393fc94d32cde42c566619b51eb13522959ac635fad55ab726cb0dadc7c8e930581710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580385.TMP

Filesize
48B

MD5
2708dd6f964fc1e4958eb117d5544d1c

SHA1
44994f1fc6c94d5187db378bd66964791f812b90

SHA256
ebbbc9a1682c0b98da7bab4bd88f5a57835898f297d69d6f82c3d60f4ab28758

SHA512
2173a1581e0fba47b2c2c6f6a59b6d1b4475e80c2811ac3763abebac1ddf76c5d05baba47e0e843b96e787c212b57e7c4b7ca6bf9d3de979d7ce606acbe55064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
b50920824e0c77eeba3e9c25c3423c3a

SHA1
75d0c32f59c9d8a5b36c64b108030893d80e2eb5

SHA256
3c6d8d647101ea477ab1a4adc5be5fc8b045941e945a73f77b0bd4539b0fcc19

SHA512
d9f565a195a06fc1d98b36f118d6945867a56f9e58d86ff351209bb97020c09c1f61b4e9a577a6c3fa845590b50ccacb650e61e76e36bdd8f4a2d4967ed3b7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0ea82d553b64c090085864b012dc2d52

SHA1
d1410a08eb94506248a3d32975b9d3a0599ff3fa

SHA256
6644431a13a1e346952d08fe1229ff8fdfb5a108ff510210580c0ee27302ed0e

SHA512
6ce0d04847d7b503603fac9b705ca6761c484dfda8f33256af34a7f17b7c5ba6b8cd006f36c48ace97d28cc4688206e04a74200682acd1c5373a33208a693e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
fc1934826fc40722921fb97d37dd666e

SHA1
131321b3eee15b0fed2fd99a4d952bf60444d1d0

SHA256
e68a950b9680a669cc161ea9c55c70045864cd51333ddc563c0c68f7ad3aed72

SHA512
fcf7924b41e717c7c7a97072753fbfc951861c0fd45ad8e9cbc866410a1aa90771ebdb33a543d8288d664693e5f4bb1dad1b251677f5ebc27ff66fb49f9ad6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578bc5.TMP

Filesize
3KB

MD5
385fd462c1e7519104f04384a18b1871

SHA1
3fbfbf25631df53ef96073f97dba1d815c4f35d6

SHA256
e5c13d5188b7f24edb1fc9786e74537bbec84bce650d45d30fc2a70841524381

SHA512
0739286150f49d3813a572a61c67a8d017199326bb5cc848ecb8b8e0c31e49c38d66b999ea073d84f63f5a1873149d80537e160f2d87d3ce41065d80153ae519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9bbce8de7f4c27860ae195c64cc31991

SHA1
68ef51dd8bf2988c6f17716f1003de0003eaff3b

SHA256
606a5375ed8233c3ae1ceb40f7a893375b81cc59c10f131b2f1fd87badcc49b1

SHA512
87d3ab328d70677f65e08cfb6aa714030b935f020e59ece1d0dde85ee3b130f5dc39a1b08b5638116e2343ccbb1b0f5e4b359c31ec20b51d1c45fa9cd18ae5e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7abd4efe55ecda534fb997062d7f36a3

SHA1
5c166a33459ff97ed7d9378e9bfa3b5ae9f25468

SHA256
b4d87fa70fb682b92c8955c55de9bd9c3d30dcfa27fb2999df578d86c39fd3e4

SHA512
470722e7b133924b1e158eb5e93ddc4451ef72f5398aa5644d5f53c5a1a2bd6c901a3743ab5aee132bf81bf844fd1a809329bef06093127b2d3a4a2afc9c2605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bef0fafae03bfa82cf6677a816d462f7

SHA1
3f9fdf553a8af1c139ae9e471b11abc94af2a958

SHA256
e782f838ea17136a7ff5c5faeafbcdcf5b5498bffcecbcfe8f60fee5951c5444

SHA512
3607a24f4775f5ab2b34f69aedf47bd37c4983fc6078ac71acbd6caeae35b8749ac71d0a786c124728a51f5a05c6ae5f2e44e7cbef770c69b283cad807a10d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
87efdd43383845b3501371dd2a1cb59d

SHA1
509135674e5dd33ec874ed2e6a5e3bd7220272dd

SHA256
40dcdec263543f480ef16f1ea642d6324bb2f1c3a359a726366c34058451f845

SHA512
93953571e39ae785ff74d8edbbee001d90d5efa9b1c94f3d2d36551923360bf2e2886572baf83158a5508ff24116b3fa436013be4c44cf331e45b486989b121b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c56617e4-9b0a-47bc-962d-b43e788185f7.tmp

Filesize
8KB

MD5
4bee192a4f51d7cb05c2dc9e60772266

SHA1
b99c1b8d0b95f43e765567fc7a88bcdf89220dc1

SHA256
846153a5062883b894a6ec2466acb4c3c26c4157c0f7c273caa9b11cb343eb3d

SHA512
072d3fd8c91fb02ff2133393b2b511112b4d8d4cac8cca3f619430d189fd701be9774b392007cc5fd1eaec22b42a28a8562f6bc29f4b33abeb28575ce8b6f3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7LH35mD.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hU8Dd26.exe

Filesize
656KB

MD5
a845e095586e631f0e99685be4b89b1f

SHA1
5184f02b58abcce77d52f4dcf997af5fe928a118

SHA256
27416cc9430d71fd431775f49247b3b4489ca517ed6e3b84cfd17101719dedd5

SHA512
f929b9699948945c3533bf38667229ea8edc2b25f4ba12be48b60f8eef63e3e1aeaae2c64fc770c6745a2a6af12ff63ad3bcebd917bdfbbef0c286fbe1f205ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Al31ID0.exe

Filesize
895KB

MD5
b367d9acdebaa49fdc8e9cb0b0ad9561

SHA1
017906035cdc73bdae0c01b8c3564d8d6501d2a9

SHA256
609610d188215996489525ac5bbb9855200e7bf20c73c454ec4ed089c04e7fe2

SHA512
d7de794b46a7606a5a687e0166b0c82643259d4d6273c435fd19c711dcc8408c7f34d7e21ed95ba3ceaea6a9e9ef713335e2bdecbcafc7f77df3cd4ea79eb9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2SH2432.exe

Filesize
276KB

MD5
3805fdb827c37be078bdf1104cdb082f

SHA1
50502e9735d8d36498ef13627629bd6524b0a06c

SHA256
426809200c55f86b2f2bf23833ce624a4bd376e65f1995c2d58f92c4148ea7f5

SHA512
5dbbb3370c950e94be25ee462b718ec18b71862dfdb590cdb627a3e25b59821d36b069a50a208ce3a648584a97ca6ef07bef9840ae48a7fafdbf77d45024b13c

Download Submit
\??\pipe\LOCAL\crashpad_3820_CWOVRHHLHQDXZEGZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/6744-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6744-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6744-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6768-178-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6768-177-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download