hxxps://github[.]com/Sushaokun/FortniteExtCheat

Analysis

max time kernel
338s
max time network
334s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Sushaokun/FortniteExtCheat

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3588 created 2876	3588	Installer.exe	50
PID 4992 created 2876	4992	Installer.exe	50

Executes dropped EXE 2 IoCs

pid	Process
3588	Installer.exe
4992	Installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2661087639"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144823"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2661087639"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed336312400000000020000000000106600000001000020000000d1ad16e2c30176dcc73bfbf6afd35d2247b8eb6df794bd53f062be2775bfabfe000000000e800000000200002000000098d16b5cb082f6a643cd7a10cb1457329de2bf6b1e12f5aab6ba9dc7a5bb0f93200000008c049c7a5ec9076f631b88b6ce3db6b9c141197d2cff0a8370a6103aae80738640000000817a4761481563523d61ce3689c0596b6cba84d1d57e746bc6065278823fdd7d29ee02d15c8b377e23201301f57d95dfd2cd0d8214a105c172b90a93f43f8352	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CA2F4F2D-A76A-11EF-B9B6-DEEFF298442C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d58ca1773bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144823"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708f88a1773bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed33631240000000002000000000010660000000100002000000067de9065cebbe13e8e026edd82298ee7daf223101b249e533b061b4706c86cce000000000e80000000020000200000008bd8a814209502a0fd3927ca96a1b3848dcc0a45c6c45f5a98a3709f9afb10dc20000000024f708062badc583bd2d5864362ce5421af3ec538cefc302d6c49ad9cfa385740000000bb5ec5e7bcd1fa04258c8285dba594c2458742f19377e755630d2550059b7196587312ebd317eca33a7557715c3aff2c0dc6b2358186f3cdadcfb7d37edcca1c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
672	msedge.exe
672	msedge.exe
4108	msedge.exe
4108	msedge.exe
4952	identity_helper.exe
4952	identity_helper.exe
2688	mspaint.exe
2688	mspaint.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2008	msedge.exe
2008	msedge.exe
3588	Installer.exe
3588	Installer.exe
3588	Installer.exe
3588	Installer.exe
3588	Installer.exe
3588	Installer.exe
3588	Installer.exe
3588	Installer.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
3364	svchost.exe
4992	Installer.exe
4992	Installer.exe
4992	Installer.exe
4992	Installer.exe
4992	Installer.exe
4992	Installer.exe
4992	Installer.exe
4992	Installer.exe
1872	svchost.exe
1872	svchost.exe
1872	svchost.exe
1872	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4800	7zG.exe
Token: 35	4800	7zG.exe
Token: SeSecurityPrivilege	4800	7zG.exe
Token: SeSecurityPrivilege	4800	7zG.exe
Token: SeRestorePrivilege	3536	7zG.exe
Token: 35	3536	7zG.exe
Token: SeSecurityPrivilege	3536	7zG.exe
Token: SeSecurityPrivilege	3536	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2688	mspaint.exe
2688	mspaint.exe
2688	mspaint.exe
2688	mspaint.exe
3364	iexplore.exe
3364	iexplore.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 924	4108	msedge.exe	84
PID 4108 wrote to memory of 924	4108	msedge.exe	84
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 3356	4108	msedge.exe	85
PID 4108 wrote to memory of 672	4108	msedge.exe	86
PID 4108 wrote to memory of 672	4108	msedge.exe	86
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87
PID 4108 wrote to memory of 628	4108	msedge.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2876
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Sushaokun/FortniteExtCheat
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8e1246f8,0x7ffd8e124708,0x7ffd8e124718
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,11471119414287780385,8693150133385526109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1760

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\OutSend.bmp"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3364 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Installer\" -ad -an -ai#7zMap3388:80:7zEvent10893
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Installer\Installer_(password_youtube)\" -ad -an -ai#7zMap5676:138:7zEvent18907
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Users\Admin\Downloads\Installer\Installer_(password_youtube)\Installer.exe
"C:\Users\Admin\Downloads\Installer\Installer_(password_youtube)\Installer.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Users\Admin\Downloads\Installer\Installer_(password_youtube)\Installer.exe
"C:\Users\Admin\Downloads\Installer\Installer_(password_youtube)\Installer.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8ff9f86aad58ee68dc392008f1c6602d

SHA1
1ba642c271cce80f9db5e03f5bb57734655e435d

SHA256
b1c5d2caea580532ef776341f0f19d7df5ac55aeaf820f7c1c0499e2a6744fae

SHA512
7e3acc5114def693b99db8cb58c0872c44ef29ec81c3b4de1e571b445d5a65d4cd8357e7ac7bd5559168030af524c4cbfd50e078e685bfa028448c46f4f813fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
bc3628f5f032f40d1fb6c1011393fbf6

SHA1
1f70850cea670985e6e0d05b62a1cbfa543f19a6

SHA256
f5a901b424808a50b752c99e1b86633dde0a1b9b9a3582e02a3d9c2751aabecd

SHA512
b9250139f7e436f009a1a12f0a68efadb38d159b5c697e12a0394bdb661b0f3a23c97f0a26b459427c693961b24bf3652d194959b82b3bbf340992dafe1f3639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51c04cfb881317dd2031b75b5993a9ba

SHA1
5bc2b96e9cf43cab5185bc6764ffd02fa36049c5

SHA256
541ef26b5c4df2bd066b57c42d530b9e3dfd2dbf07ab1b82d89044e9bdc56c39

SHA512
8a135e1474935a4fa4852ba0dff58249151a7b3a8bfabf04d1900fbc5e50ed2b06b958187a8502cf3df6155ac4ee0f46bca060b7f8e38cbef0af5df337b8b323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95fd8c83183815e9e2d8ec67fb86ffe6

SHA1
c6b4cff618390dd7213d0e9a7d4bf7fafe87210c

SHA256
e9dd2f35b48c3a0c4d688b6f274caf36627730fe5a8244d55f6c427260ac35d1

SHA512
1608275387089724bb2bf7ad0f31c0d6d902b18edacba0460c09816c7eeed5d87daa270a0aff52d1d635fcb16b7173b1b76fd5182124c56668f5326feaadbdab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91641108b8189c3cf162a87d680a1bd1

SHA1
048da086039517f73634f4473eb67f5ecc9ceca5

SHA256
f085aeab9e7f0e0cb15acc850b9bae96b413fc1bcd0ee9132324a47922919737

SHA512
85ddbaaa80eed9d2415ab24df3630576b8f0df603af7e4b4fd2640a9ee070af242cbbde0f1671877603f4652598a32a1fad5883d6cb2937441a0f0a913affc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea95aa63b0485eae6326bbecaff3b437

SHA1
bfa3b8a8b93d63ae10b5e9d76aa1abbf6481c5af

SHA256
3aae7b86e19ec17798a46d6197d7d38ed147659204899c324eed5cd6fd2f05aa

SHA512
68f0a5132243a054f5aae0b38587f4bb8b548f01b462eee57b760ef9600689cc7d28e4d44c8ee9027903c717d033c3de828260605dd1d473ded4f9b7a9fc4836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b24932aad4c32d108a29d3fb4f30cf5

SHA1
1c70b48b5659f035b7cb5cca38bda6ed17cc6c7e

SHA256
4861936b078d9a49e0b56a9d683dddebe0e8c19708895172395ce3fc4e686782

SHA512
96a81e18bffb957012f7caa5d4380cb52cb0441e7d4accb83a6159a701b119d9c169c21f07f5450cd5418355b86a40deaf0e12126efebfa5c213375b883853ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a67c.TMP

Filesize
1KB

MD5
052e0267dce16e9952291513303ae092

SHA1
5240d30e41a41ae6deb0e464e5dcced149949134

SHA256
10d8736f43e9725cb54adaedfba151f0cebfc09f8445e96c946fc60afd25f49a

SHA512
dcb483da7c6e71a9f2795a101e1cafb5ad5546aef063dbcd15b13314b560597e5508b3147e038f1d7e1a2693635749d6f33951f4a64c4c83292d0cb335d5ec5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4bdabaeb03f55835b0514d51c8bd801

SHA1
62acc330aac1ade9ffb174c472e03ccd22df59bf

SHA256
ce4d51dada8ed5b2746354ef97641767a5825ef2215b7f3fc3e303fc268c7e56

SHA512
301e0e60995b5fe075b8260dd54a3c765353f82bd141ad4f5946906b5469de6acd81803222289d6918ab1e62497c39100d8224eadd446c715c5c17da326ee1cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a496748b93122b7da426a1f1be155bd

SHA1
99d10f30228764d1f159e1a2197314e05640b799

SHA256
547f4367d386940e46ec9efdab530ef34a7e4a0c043105adfb170d33615b1808

SHA512
f354f03d7714375539d6c3cbce5e50dac8309d4cdefa75d725c36967ae6f605f8f6489b76a8b09a7a9fc2485aa43dd921dd0dd300262862b0d3e0be1269c11a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ebacf6dd13c907bc54f00a543b36e72

SHA1
281b0f0d0be4223d66ec3ea5b744106308787217

SHA256
5ad4533cd1b2ab09574d2a9bd093aa0ce50d450866b19b1aa2e3c5eb959708c7

SHA512
380280843380d5f8c864538cb48b4d8363810ef4781a052222f4a67e414c768555a972d61c1c87ecfde8e0d3329918ceb5d4c22fb9f1895ac399356a21f13aba

Download Submit
C:\Users\Admin\Downloads\Installer\Installer_(password_youtube)\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
memory/1872-761-0x0000000075750000-0x0000000075965000-memory.dmp

Filesize
2.1MB

Download
memory/1872-759-0x00007FFDAB790000-0x00007FFDAB985000-memory.dmp

Filesize
2.0MB

Download
memory/1872-758-0x0000000000A80000-0x0000000000E80000-memory.dmp

Filesize
4.0MB

Download
memory/1872-755-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/3364-736-0x0000000075750000-0x0000000075965000-memory.dmp

Filesize
2.1MB

Download
memory/3364-734-0x00007FFDAB790000-0x00007FFDAB985000-memory.dmp

Filesize
2.0MB

Download
memory/3364-733-0x0000000001800000-0x0000000001C00000-memory.dmp

Filesize
4.0MB

Download
memory/3364-729-0x0000000001240000-0x000000000124A000-memory.dmp

Filesize
40KB

Download
memory/3588-724-0x0000000002A40000-0x0000000002E40000-memory.dmp

Filesize
4.0MB

Download
memory/3588-720-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3588-725-0x0000000002A40000-0x0000000002E40000-memory.dmp

Filesize
4.0MB

Download
memory/3588-726-0x00007FFDAB790000-0x00007FFDAB985000-memory.dmp

Filesize
2.0MB

Download
memory/3588-728-0x0000000075750000-0x0000000075965000-memory.dmp

Filesize
2.1MB

Download
memory/3588-718-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3588-719-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3588-716-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3588-717-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3588-732-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/3588-712-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/3588-713-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/3588-715-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3588-721-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/4992-742-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/4992-744-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4992-745-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4992-746-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4992-747-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/4992-751-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/4992-756-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/4992-743-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4992-754-0x0000000075750000-0x0000000075965000-memory.dmp

Filesize
2.1MB

Download
memory/4992-752-0x00007FFDAB790000-0x00007FFDAB985000-memory.dmp

Filesize
2.0MB

Download
memory/4992-741-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4992-739-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download
memory/4992-738-0x0000000000400000-0x0000000000B4F000-memory.dmp

Filesize
7.3MB

Download