hxxp://nabtechdept[.]com

Analysis

max time kernel
65s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 08:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://nabtechdept.com

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	LiveChat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	LiveChat.exe

Executes dropped EXE 3 IoCs

pid	Process
3920	LiveChat.exe
3380	LiveChat.exe
4052	LiveChat.exe

Loads dropped DLL 2 IoCs

pid	Process
4052	LiveChat.exe
3380	LiveChat.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveChat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveChat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveChat.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LiveChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LiveChat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{64AF40D1-3B87-483B-AF66-F2B013F9F132}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 315897.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1652	msedge.exe
1652	msedge.exe
1644	msedge.exe
1644	msedge.exe
4136	identity_helper.exe
4136	identity_helper.exe
2744	msedge.exe
2744	msedge.exe
3380	LiveChat.exe
3380	LiveChat.exe
5268	msedge.exe
5268	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5888	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
4052	LiveChat.exe
4052	LiveChat.exe
4052	LiveChat.exe
3920	LiveChat.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
4052	LiveChat.exe
4052	LiveChat.exe
4052	LiveChat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 3360	1644	msedge.exe	82
PID 1644 wrote to memory of 3360	1644	msedge.exe	82
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 3036	1644	msedge.exe	83
PID 1644 wrote to memory of 1652	1644	msedge.exe	84
PID 1644 wrote to memory of 1652	1644	msedge.exe	84
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85
PID 1644 wrote to memory of 2648	1644	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://nabtechdept.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e0d346f8,0x7ff8e0d34708,0x7ff8e0d34718
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Users\Admin\Downloads\LiveChat.exe
  "C:\Users\Admin\Downloads\LiveChat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  PID:3920
- - C:\Users\Admin\Downloads\LiveChat.exe
    "C:\Users\Admin\Downloads\LiveChat.exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3380
- - C:\Users\Admin\Downloads\LiveChat.exe
    "C:\Users\Admin\Downloads\LiveChat.exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8476554366748379681,501592312199790739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:1156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e8 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
78c88a26f6512dd1bd1d888f6dcb5bba

SHA1
45618826b508186b3911066156a4005f9a34de94

SHA256
34e9f74205930dd701fa378518329fe8831e602461d170ce43061e1a71444c53

SHA512
cf132d08b0f14a3e665babe9639317b2ac8a1142314e68bb488fa345a21c07970b14371f230317e03f5d6655c4ad3a5ef4df9965cccfa520468abeb1c83d1310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1be77ddda305277cfd932fd1c0e5ed2e

SHA1
0c7270dedccd0d1266596f8851412dd98b9414f6

SHA256
671428c0e9d16b5272b2cf3ddee3946a137dccb0c8d181cdce2bcf5a04b68f88

SHA512
9620d81fd1fc3b550ae59be5bda59a178c0159fb45ac072e77fb4548435798133489b595fd830c8d9a354db6a2a53d82c41a0894ec1283f200c0a641bdb5f8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0facc5980cec941f618bddd92f94e33d

SHA1
26300a1000c43cb9762cb250fcd3a3d98b8509ee

SHA256
145895e3e6410783e26d7410634b8941fb1275983607332165332b29e7e4e193

SHA512
26e172562e2c2f7237637749a1097e672399d89ed999520b3ab0f1350b19b4c37a77ef78ff8c71d6d3f4021666b67c6c1b4ed7937bd7ac66305d2b4495ac8de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a39a6d1aa7306c714e16a4ec9230fc9c

SHA1
ac52efeef2b4c10eecf002af67bd8627d011e517

SHA256
14c20958c9753b191aad8ff2275cf536b0dabb3aad7dd55a4e7fe815bfc07538

SHA512
5d33decab268d0585e8b76173abeb9f4b5519d35950b7f0d3e08f3d34f07c09b67a075c81203062088eb076915c4cceecccb892e2824055e5b5b0c233050fccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
858d7812e3fed2faccda295afc265602

SHA1
ef4a5c7721ebe30df5ef51c70abf895924f28832

SHA256
b1f76ab35207af5fce5dcd78bf495c0f539251b813795fe35551dc8c4706cbec

SHA512
c35dec0785f0a0128b5bfe7e37fa942d95cb1298164dc2247aafcd010b08cfce8a6bcabbb5631447b9ce7f9f707b74b3d89137ff6cfc37469d2877699533d834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7ce816aefa40168467ff7d2e8f8aa54891d7e0a8\index.txt

Filesize
157B

MD5
20849f7a7e774abf23bc4d57897733cc

SHA1
9ce05bc1b448bb6a35eed23d6977db62b52abd0a

SHA256
c01e0fb597dce640827fd114fc3944b6eb4f5fb2e5f86f25c0427dc40174baed

SHA512
74d15ac72658e6ebf7a3cc3f95694416a9aed3ccc153638e56d391039a4b5a1f1a7a1d40d4cf7fb698adcfdb95f5fa781d50d44348881ddbb7d7eb024892889f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\7ce816aefa40168467ff7d2e8f8aa54891d7e0a8\index.txt~RFe582b80.TMP

Filesize
91B

MD5
58e57a18226644ed5b726bf6922330d3

SHA1
b80b6e52274d57128eb12919093909784d36bd46

SHA256
39d0f1ec8158dd0c774b0a3050ba818fdb41042177ca12018f040d703c328867

SHA512
e0a770d05301787d5757896b3d0a26ebee1ea60c9c8b878c38c808b4d0e53d0a184552dbc23ff31b7574b5510ea06d28bd7939f5a7e24e0db536e5c263838fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586a00.TMP

Filesize
2KB

MD5
dcf1b7359f6fb1e5b5f8acfc472db20b

SHA1
bc82d418885a8071d1983b1958aa115de54b09a2

SHA256
d6825cc67a99d21ae1106e195b5b77aa8f4f3478b3df19883f0fe00a85c7c2f4

SHA512
5b08a162ac3e2009bbbb920d697d0eb5412d8a7746362d40462ac72abfdd3f68020cd07bc5451e562ee3d5fa493a4fca890b98e0dc377e95307f53d013cdb4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b17f4fd5-8b8c-4b19-b172-318855a97af6.tmp

Filesize
2KB

MD5
1ad4399d7b611971cfa732fa91f0b696

SHA1
e990b962fe3026e8218f7cb776efb567caf0be33

SHA256
0f7b35a31f1dbcd7c7fee8033ce89c8255a08cfaf3487bde8f32f94db36775bb

SHA512
b557263548341b264616690bbcf50b9e16028c2650b806a4f74ec73a1818149ad93cafd1642b6e906626aacad208c2ed2cdffcf9c923e142bdbed6c8f705906d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6cff687f024583c25457fc9b4fd0cea5

SHA1
b8a670d4bf78ee80d64f6eda3c4cdb6143bc0e89

SHA256
5781361c966803f3e813664fd4bf1b3e5f178e697813da57ec516afd257a6a0a

SHA512
f48d131c1d51487103b332f99565bcf877a51dfb3bc67c4905bb2240e500b4f7fe4b53a95cb8674d182653436cf6de5dda523b630514b0e9c1914860bf4be4ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c1086461c95ffa81ec40950dd4fb2f41

SHA1
eca5c5bb9985405956d185eaf9241d6f53341f7b

SHA256
4f5b7d82ee476d4d1015945215967d103d6f206356f69c1ea8b10ebf412da972

SHA512
88547a23419582f34f32d0269c36e8538509111b37a8b96e6830c182172a42a8cd3f2b270491b77b7ffd25f3cea2a824a721ae201a4c1718abd4f213900f1906

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
974a1ca5b9e729ae53bbcb551cde32d1

SHA1
6348491195dab146a51be5c3a582f622c9b8d6af

SHA256
d390b5c3d91b8aaae3592b4897ac36f111a53b34a885ea7300daf956952244e0

SHA512
272e2db937536fa4ac28f1546ce86d0db19f0b0e7c962619feac9058e04a99884fa97be828da8b748d99880b9f5b6ddeb785c57d447c359317e63d2eb48aa8eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
edb2063f05ce0deea0fa0863eb99652c

SHA1
2ba727179aa03c32244219edd8b5f219f5ac8a26

SHA256
0bb697560bf646ada0ae338b68bed8c0b2fe7c514bbb584d6302a2fe279ce83d

SHA512
bf8ef1333e41483d6d23d0705293640ffb6a3999289982164f9cc48882936146281fe2cea1229c012c22db41e549b9ce114eef97dd362a2f15ab1a4e96b80360

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
dde8396a8e677d2a7965676fd68ab531

SHA1
ed82af11b977d985818b5840243856d608b4e0e4

SHA256
18e94b672dd4b2e2c0ffea471575e6e7bacb4aeb59039edde1dfa7a4abfff172

SHA512
56cc30213b47f944b0b959a3bae6d571d4e02eedcac52d2e9f48f2af2f96fe9fd54f9769bd0a71e6d83ad31859d2f12b5db573ba3e457adda99ef6b4dc3bdfdb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bc49dd3c24900fcbda703f4ab34ee122

SHA1
c6f697018279512afec3765409dc4a47e39cd49c

SHA256
fc19baa4b2b067a265f9cdb0eeb162490f02dfd032231417256cac02a8faca7c

SHA512
4d2854b1463f0d0c5c1d50f91cd39ddf241cc1f3b610fdb0ca9e4d805b5d2c7ddcc67d270bdc606870d9e1feb62835fdf547a76908d5b8e9e93b5e063e2fcb1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
e23bb56db9ded559c993ee7ea4e7e0a2

SHA1
9ccfb05a52e0fc053d10d4c68dd541c91c87d768

SHA256
2c0aa274bd25f2f796a895a8401f2cb04da472322d2ee97f524c87d0c09d0e6e

SHA512
81403707c4c6923794f9827319c7925f4d19bb3e88b6d622cc55f548fe23b0aa22aa41cd81a3c10df5019fcf83fafc686450a284732be6caa6517a8b4a6c945e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
890151629bc451ca5ba65526ae5ce01d

SHA1
6f9b25c3b899317096b3fc7a98bff3bf4cacc4bf

SHA256
a43d1bd5ce315df94e9e9632abb6e118da6598ff9120bfbf9026c56c8773a840

SHA512
4c5c5f5116a45a1a3671e20e65f45eab8d55a9321c6d19ca83f307ae8706824df337ec5a9e4618bf18f302fe41c4c559286ee68c29eadaafa045c8f4e3defdea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
0a2dd7ad2ec66c7d85b13719d9a06007

SHA1
e94f4f40e410426ee040ae3922da3ba2d9fefac6

SHA256
1f8294762ac2b6b06135fcccdeb7dbee9c0c3d43291d949766a1a0dffdece540

SHA512
b9f82a9268c9c32e8c5080246eee76602f81d09433da80835d41ae23a9cef1481bba5411489593ba430b6a16976994f3eac78397215946acaa7081c82cc7183b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ac86c13b953a7d62d0a970560eaeb7e

SHA1
6f6a6d4df15a3491922d71dcb96f3892ee678240

SHA256
1975e8bfc3166aa68f890617546d038ae08c517608e4b6bbd56ec253216fd915

SHA512
4076c4f5381e093f1df32c676347e2d3a3427b7c62376ebe3fdeeed4fab635bac7ee702e2dc7ec278bf0da73946c345635b5f6acb8b89b0b65f1d0ed830ca641

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6b3a9048669d5e11a2ad65b31f4e0c1f

SHA1
1d56851bef712a6ae728d223c8e8daa58f09862a

SHA256
71125380616aaabe86683bfc7ebc424790f4f5fb70da3836227663295771733a

SHA512
186106cb939178e0495203dba70ccf2e51fcf1bb8a65f09326a850d25d76373dd9f252fc2134ace0ad215fcc57e9d4a82cc3aec11eccea7635a831096a546026

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c47cdf4bc0692aca10e826a077373a85

SHA1
6938f1f31da8b2c4a546411f9963ef6719070391

SHA256
f5b1b9eded427c314b19a04550eeab3c5b5df86952e7c4eab4873b3a039f7a9f

SHA512
f958b83577e56434478fd25fc3291a301e3c4bfed7dc8784945eb2679aa5ecf038362048ec829364788cc48677aba1fddc1307a8a77ee54828dcdfaefb2041e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3efb84d20cc0dfafa32592fbd25ee983

SHA1
7c980728559cd75da2a0ab3c83976fe18a12e9b8

SHA256
f5aef1a11764544770b0c70f4884e00e02d56a25fb3018d801af84dca785be6c

SHA512
bc3127a5dd93afd5c1e1b83518b7148b918d510aa1f08463eca838d666ef4703e3c77285264ecb7f2b286ab1b524779fe2127d5eb3d11a1d5f684c7c3646b851

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8973501ae14d89b5e1af6859cfb1e5c6

SHA1
abf1ae46984cf5448b7f15d4388c10a2fe92697e

SHA256
eec145059a2f31a0d542cd96ebda47d2eb07ac8df998d7972fbe71bbd01af744

SHA512
0659a7f20901e3acd982f852d6a29b9bbd9550391f53d372bcdd25829493e3f69813230b7f898a1fbb40b51b166a6f502d54b6d0def895c5bf82f367b6b6f307

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a549cc75a233845c1ad0c8d9fd2436ef

SHA1
c3a3b0859e8098ab11ae2593899e6167ae4404e5

SHA256
d88d671d2b36c0ff1c18cc189d978330a05dcb531e5b1c374d107c85676fb09b

SHA512
0a9a6e64bfab3a7082187159ff8ad76f55bad1f76e068e78d360df11326d8bbb579b1eec873f4566e32eb30798acf26c616fb3078352613a5d82660d3ffd12b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4fb430221a590db1852c29f703ce58a4

SHA1
0498d1b09e0adecbbd73a935b97a36f9f001229b

SHA256
b517e630f0718020093da4aab215e6f40cd2195a11db4528b0293c23f6eb051c

SHA512
061219bb8161472465ffde6e56a2d827cb74d7ee5e566063cab110a311c12495d7411ce8ad8500cbf918bba72b65e11487acc8dd3aa7dfd91611a65c380390fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7f81d0eea55a974911644e3449c3426

SHA1
06b7b8abbec5c6b1fc51500efc82fdd5ee0ab3cc

SHA256
8bd875fb2ae58065d3570c9c251422b93915afe0c703f9cf441ee0e6bf39cf64

SHA512
8a32744123cf3bec919ca03eb886abc8b60cb22ce71eaea7a0eac3d4d3652532c95c54ea90cad8ce30d94811ebec8aa7edc81eba1547a9546b3f3e017dd330a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
11a7779bc27ecb8822ba8feb553de3e6

SHA1
203a2ade582afaecfa29ed35a3915ce88211a75c

SHA256
ca7617ff65654ef56451fd4a8a1a3bf2e291f975b4fe638391cdb0939fde2e32

SHA512
c1f3b8b8cdc145e533265274d46935aebc6a7831dab68869eca2251dcdbdf42d24c269a9150450d03554cd10e99477e05f3cad9d8353e531816b55b57fdbb49d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d4a257678883a661130f99e13285cf10

SHA1
5f9618756e689b4e43e313ad698f445169c58229

SHA256
043fc7c46dd0367d199aefa231a48f20146844b85a1c7dbc1e052ce07a600d35

SHA512
b0d969e9077677d68ee9639a5fd92f16550d5e5e3f76ff5a98a9efcf3357f6190eee6098cbe1a0a8ba1dde7e3f394a8f3d908968ec4ca9ff5f73b47978c608ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
51f4747ebb80ec7ebd9d082531dfa99b

SHA1
714fcac7144546bdc26f73d32cf3b2e3d43a0bd8

SHA256
ec1d680c770123aff41623770ec3e50180bf26953a8fa60796eeca7a02cc3637

SHA512
56e79ad342dbb9bd7769c8fdec958453120c1c314dee3d398bf0369bf2f1ac035353a727bbfd7679f8fa1e59884451d11b1295b29259f97331c1683acb7639af

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 315897.crdownload

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
C:\Users\Admin\Downloads\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/3380-373-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download
memory/3380-136-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download
memory/3920-378-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download
memory/3920-110-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download
memory/3920-372-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download
memory/4052-137-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download
memory/4052-374-0x00000000003F0000-0x0000000001475000-memory.dmp

Filesize
16.5MB

Download