d749a99f483b4526915a5d88bbc93ab3318969a554fd4ae589750dd8b4a0d11d

Analysis

max time kernel
149s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-01 18-18-33.avi
Size

249.0MB
MD5

1260bf8fff54f57a0eae34deb385437b
SHA1

340ce576ed7eda6001534b96d1569dfb323e6187
SHA256

d749a99f483b4526915a5d88bbc93ab3318969a554fd4ae589750dd8b4a0d11d
SHA512

8bbf9f80cbfb474c5db9131b3a09d6bc72ecc238ac58866877a03f34c95c129c21eb9f951331104da425b15e8710443e0046fd20972eb0dff48c5416716ece49
SSDEEP

6291456:Shj9dANe4nuPj7iuDqvt81881VPqUrmdAe/YdmPx:Shj9dANZnuPj7iuDqvt81881VPqUrmdL

Score

8^/10

steam defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	4752	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{D381C705-E4B5-4F2E-91D7-D15D901DF267}	wmplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 752531.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1628	msedge.exe
1628	msedge.exe
868	msedge.exe
868	msedge.exe
2580	msedge.exe
2580	msedge.exe
5020	identity_helper.exe
5020	identity_helper.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4752	wmplayer.exe
Token: SeCreatePagefilePrivilege	4752	wmplayer.exe
Token: SeShutdownPrivilege	696	unregmp2.exe
Token: SeCreatePagefilePrivilege	696	unregmp2.exe
Token: 33	1012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1012	AUDIODG.EXE
Token: SeShutdownPrivilege	4752	wmplayer.exe
Token: SeCreatePagefilePrivilege	4752	wmplayer.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4752	wmplayer.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4720	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3432	4752	wmplayer.exe	78
PID 4752 wrote to memory of 3432	4752	wmplayer.exe	78
PID 4752 wrote to memory of 3432	4752	wmplayer.exe	78
PID 3432 wrote to memory of 696	3432	unregmp2.exe	79
PID 3432 wrote to memory of 696	3432	unregmp2.exe	79
PID 868 wrote to memory of 3828	868	msedge.exe	90
PID 868 wrote to memory of 3828	868	msedge.exe	90
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 3276	868	msedge.exe	91
PID 868 wrote to memory of 1628	868	msedge.exe	92
PID 868 wrote to memory of 1628	868	msedge.exe	92
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93
PID 868 wrote to memory of 2484	868	msedge.exe	93

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:8 /Open "C:\Users\Admin\AppData\Local\Temp\2024-12-01 18-18-33.avi"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 692
  2⤵
  - Program crash
  PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 4752
1⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ff9e0b83cb8,0x7ff9e0b83cc8,0x7ff9e0b83cd8
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4536 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,619320451432559206,6142215650348035157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4064

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6dcfc3e6b014e30719004656c33bae36

SHA1
49103612f4e9540d8bb3d995b94d882c2145ee2d

SHA256
6e58f7ff1dd0d9b84583e514d190f49b3510a1b433db046a813c7dddf95f134f

SHA512
6d0d9fd0175aa6a95c1131e609a97e26ce262396339d4b5593cb4755d1e34884f032687278bbaddaeee75992091bdc1e9f70007cbce34d2091e21f477c85f06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea24f3d923dfd4882203d4ff7731661c

SHA1
389427e881b7f3506082cab5105c84d050839f8c

SHA256
aa9e1041ef640cfe7cf4c9711ffec330533d6f6f0aac642457892baa400f9b28

SHA512
2c8617775d33cd2e5f2e48c9fd79f069ec70e99125e893527171ec1cfd8237ac5a8e75a1bab19f09f23e5cfd791a5edfb5e89da69b0f41565d5437a967efbc1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ef1f3da2a4e5e184a6f6aafbc65f629

SHA1
a09149e52e69f72475527509ba6fe880a267c5a2

SHA256
0217528223c7bec516c2715fbb973d04d16d781a14ee9d43f1d3b2633d65c67c

SHA512
06b6dae6f6aa87a49300a7ccc5a77db8cd7b27d6de066dabadb63fdac33d414b1e1bc2b0e82cb1962ec61aaa60260694c4f90e7d29c0c5730d4440e1f7e47e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bae9b934b2886799af0b92e57b69c36e

SHA1
5a17801914060343c9234ce2be76b27a72f635da

SHA256
cd536d2a4d82b57f60e2b2b7a2b1367da370f412ea56b3c2274ab2213cdfde32

SHA512
e3e03c25e9bf385659b294da364e82bb09577200a33ae42a34ecfa5940b3e8d28a7543c3623d563d840fb8b2a01bd290249143db9b4548067b20ae581de0ce1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
436bef0d0be5140082dfcb23409a662a

SHA1
e17929932dabad0b304350b70f2f5318b8af0a3e

SHA256
a207d5405c1fce897274bf1ec5d609e2e72893311e148370a72a855d320bb6e5

SHA512
837be44a3d51ad06b76187127c849b6a73865312db88ebc91c3da35d21edfd3b6499701d8982e26b9e66ce8e4a8daf096f9963f2ab35c81c48ce62120a5dde79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ec39eb5517f6c53bb4d9add1223f970

SHA1
8cf7a0e6629b5da18eccb5ee710d2e0281062300

SHA256
22121d38e79e42ee239ae0c343ac95a58dae4d8100ea21b0045a0a8822ed6d4f

SHA512
2dbfaf28a791fe741e4677814828edd9b07c01b455246c7c9ec739c9e0398aba332c1cc8948df59e08755dd723446ad89ad66e2ddf306bb249384bf7e79a74dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
08f64efc3a15c1de3f7dd6e60d3da45e

SHA1
f25872cba3382c3cba7ef1e041c6c6bb48bdc20a

SHA256
cf0882fec3ede2731e840426fea2af8f1614cbca83cebd72b29b78513d737988

SHA512
63efbf5658c205dbba58a904a773d7fbada9e1e4ddba9b8fac95722020a85cd867a6a798105e3122aa5a6ada09cbb6ff7a67afcf5379e7d8bb21a062d08b50fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
40251e08437eb8a8b9e4a08ba827ba36

SHA1
941b8a64be9dfe9c7f08ae86fffa41357065faa1

SHA256
c2392e228d27623cb56644073e1ad2b053a6be6b5820a9e05260d5a93efb1418

SHA512
0c0f6fb90a4eecdffc86ef0a04b665ef15dfd480e2972f3e84aec063a76e47b1ffce35338f6a31eed0f067d2ed5837116df342883f1d37e0e79ea835c8de7aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd0cfced9e5051e41d0bac7ae21ea5d3

SHA1
e041ed6c0181f591ce735e79b6dd060c74f2dfca

SHA256
d1ba5513521622986c7f65a2c2e23aca8fa1dea27a49015f858bfa7b50c00eed

SHA512
0f7b75d01dfaeabcbfd3b437721f8fbbe11f61f0f90d5415bf61b902dc60ac25397aeeb2e3e7210cec17116632c91067a0347da78d220cc47b296c3d8079f07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
d35defde3ad3faecd5955399986c9785

SHA1
7762067bc38abb0654f552bd5967404c57954ea3

SHA256
69d351f5546d8e20aed4549148ce8b8344faa65fb64e00b248028ac408922319

SHA512
cabff3a74b4b18b87b389f74c383dd79f33f17504a239deb35bb0ccf0d6f9e20b638d136ef8b3b7390f48a16e4f9398f264cc714766c8f7c032124a8737d84d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
0fb117f1e853b68754d04f02abce0af8

SHA1
a46e733254b77fcbc526c9125500ad294a73076f

SHA256
181054075c88b85728f4a20a65f97da887de332a4837ee690de4fa04578d5faa

SHA512
3a57e12486ec28711926f94c4b906ca80d646709de8effeb9f05d9b9e8595c948b24ad4932aed57ce231b22457e323facb4c0f1b92d43072ae6a04da29d53e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\254e6f25-31b5-4289-bd64-588e3b5afb19.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
e849079594341fde90b675fb132a777b

SHA1
3ee2763ae4b8fe70be2931bdeada13fa961b4658

SHA256
cb3ebbdfbfb7dd65e3393a999b1ae512063eea7c2085a9b151f0ec81ea143f07

SHA512
a14e83433a32553126f013dcc252427a1e7a0c8e88b80ab1ffb2d264ccef509c885fc95fa5fd2f4f2a70820a9b13cf2afbd80501a9b68f1be0cf144ce800d745

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
5536790ba17b18e19e09f4c7e90f178d

SHA1
8ee2c211eb37d7cd04b3eb4e3086c401b644ca24

SHA256
86b45eb24fa79c48dd6dae032857595be256ea370bfcdb3f33362221965efa9d

SHA512
1b0155e4bf8b6654a0b4b228bc624809268f39d2481f3e2191e7795ca85b28f2660f46f8811714594de0c81522898969595b7cf00b1c15b8b4779d77d71119b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
ba3931ba7305f549a6b7509ca47a3883

SHA1
0a1252de36a723c86618a7409c21deec4c46d9a7

SHA256
627d5870abf4f0da16aaef62ec20461d52d7eda0982594b890045ad958994fab

SHA512
776502dc8ba3672ac047124564293136f86cde78594d5de921afed1fc3665de3b5ff33d9af16cc1bf004a9458ef28a362f53ab02ee0ca6532447ab469987f422

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 752531.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
memory/4752-41-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-46-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-53-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-52-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-50-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-56-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-55-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-59-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-58-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-57-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-51-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-49-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-48-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-72-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-47-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-54-0x0000000009580000-0x0000000009590000-memory.dmp

Filesize
64KB

Download
memory/4752-45-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-44-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-43-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-42-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-36-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-37-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-38-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-39-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-40-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-35-0x0000000009A10000-0x0000000009A20000-memory.dmp

Filesize
64KB

Download
memory/4752-32-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-33-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-34-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/4752-31-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download