limerat | d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2023 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chr.exe
Size

66KB
MD5

50b2b692da0c363e301709a28b30afaf
SHA1

098e00413ba405bcc72b71a5869c2d151e93448a
SHA256

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
SHA512

d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
SSDEEP

1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x

Score

10^/10

limerat xworm microsoft persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

162.212.154.8:41589

Mutex

1fGBFdYzxtDnKgy4

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574

aes.plain

Extracted

Family

limerat

Attributes

aes_key
devil
antivm
false
c2_url
https://pastebin.com/raw/rPy10VvM
delay
3
download_payload
false
install
true
install_name
Windows Session Manager.exe
main_folder
AppData
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\one.exe	family_xworm
C:\Windows\System32\one.exe	family_xworm
C:\Windows\System32\one.exe	family_xworm
behavioral2/memory/4572-32-0x0000000000D70000-0x0000000000D98000-memory.dmp	family_xworm
behavioral2/memory/4948-36-0x000002879C970000-0x000002879C980000-memory.dmp	family_xworm

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chr.exeone.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	chr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	one.exe

Executes dropped EXE 2 IoCs

Processes:

one.exeses.exe

pid process

4572 one.exe
1940 ses.exe

pid	process
4572	one.exe
1940	ses.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

one.exechr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe"	one.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe"	chr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe"	chr.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com
Detected potential entity reuse from brand microsoft.
phishing microsoft

flow	ioc
35	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

chr.exe

description	ioc	process
File opened for modification	C:\Windows\System32\one.exe	chr.exe
File created	C:\Windows\System32\ses.exe	chr.exe
File opened for modification	C:\Windows\System32\ses.exe	chr.exe
File created	C:\Windows\System32\one.exe	chr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5096 schtasks.exe
4488 schtasks.exe

pid	process
5096	schtasks.exe
4488	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

one.exe

pid process

4572 one.exe

pid	process
4572	one.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeone.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
4572	one.exe
4572	one.exe
4696	msedge.exe
4696	msedge.exe
1108	msedge.exe
1108	msedge.exe
5496	identity_helper.exe
5496	identity_helper.exe
5668	msedge.exe
5668	msedge.exe
5668	msedge.exe
5668	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

chr.exepowershell.exeone.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3700	chr.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4572	one.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

one.exe

pid process

4572 one.exe

pid	process
4572	one.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chr.exeone.exeses.exemsedge.exe

description	pid	process	target process
PID 3700 wrote to memory of 1524	3700	chr.exe	powershell.exe
PID 3700 wrote to memory of 1524	3700	chr.exe	powershell.exe
PID 3700 wrote to memory of 4488	3700	chr.exe	schtasks.exe
PID 3700 wrote to memory of 4488	3700	chr.exe	schtasks.exe
PID 3700 wrote to memory of 4572	3700	chr.exe	one.exe
PID 3700 wrote to memory of 4572	3700	chr.exe	one.exe
PID 3700 wrote to memory of 4948	3700	chr.exe	powershell.exe
PID 3700 wrote to memory of 4948	3700	chr.exe	powershell.exe
PID 3700 wrote to memory of 5096	3700	chr.exe	schtasks.exe
PID 3700 wrote to memory of 5096	3700	chr.exe	schtasks.exe
PID 3700 wrote to memory of 1940	3700	chr.exe	ses.exe
PID 3700 wrote to memory of 1940	3700	chr.exe	ses.exe
PID 3700 wrote to memory of 1940	3700	chr.exe	ses.exe
PID 4572 wrote to memory of 3100	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 3100	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 5056	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 5056	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 1340	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 1340	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 2716	4572	one.exe	powershell.exe
PID 4572 wrote to memory of 2716	4572	one.exe	powershell.exe
PID 1940 wrote to memory of 4696	1940	ses.exe	msedge.exe
PID 1940 wrote to memory of 4696	1940	ses.exe	msedge.exe
PID 4696 wrote to memory of 1096	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1096	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1440	4696	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\chr.exe
"C:\Users\Admin\AppData\Local\Temp\chr.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4488
- C:\Windows\System32\one.exe
  "C:\Windows\System32\one.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5096
- C:\Windows\System32\ses.exe
  "C:\Windows\System32\ses.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42846f8,0x7ffbd4284708,0x7ffbd4284718
      4⤵
      PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:1224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:3364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
      4⤵
      PID:3644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
      4⤵
      PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
      4⤵
      PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3888181031882501620,1403687122462343435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4556 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42846f8,0x7ffbd4284708,0x7ffbd4284718
      4⤵
      PID:5788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
d2df342bb3119b4d27a7ea378afc15ab

SHA1
92bc868ccf2b016ad519aa63bb7eed69bb188764

SHA256
2fe435463d4947375bf56f4585ea86ab51f8257a77e823e11a863a1f2717629c

SHA512
0fef37bccea0cb64560eb8984d26da9ddcf64980ec9c69796550c798988fce50a494a6dc3f5dee2b9f223b0a14e2c0b8bccd3d1a6eb40d4f72f17d89935f53da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d8428b086acb5723ac690d6ac683aeb

SHA1
8f70fe9165ae29c7c5f501ef6087ab9516feac5e

SHA256
4621c7dff1ee20245bdc9d9d7228140998d543c477da69528e30895eb1717d00

SHA512
db9b5e19a398be6718534e8a48f2a3ef14af0cb63c1d75482631df423758e26dd9877be83b8677def6a15e93d1d0807e648a094915a350a91f24c3d5eb0f63f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30836afa3b8f49d4650be25535a9e880

SHA1
ba585577e2ee14d3b36c28106462851b114895f9

SHA256
0aa77321b17a46697e20716cd73a87461a73f962e4d399bd4e5f5222b85a0a7f

SHA512
d23ea0504c1f382fa1e464dc59c12b6e3dc5ee3b16c9c59fb9df85fc9ab1a555179ed442d302adabcb3396ab5de1f7ffeb8cf6fc2e47472515deab394b811cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
918ecd7940dcab6b9f4b8bdd4d3772b2

SHA1
7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4

SHA256
3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175

SHA512
c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
370ac12aa9f8d8cc8c6707ecbff3cef5

SHA1
69e66e68b64873eab3ef0ff8d60b5268e30be2e3

SHA256
8d1e9a4cb2b6801a8bea4d16b5c3508b798ba9972177dd4fa8133e4371934e3b

SHA512
a1324f37cf1510ea86773b4f82ca95c3fa9c53f0a4dd03f373782c437a2a33ea0e2fffd63d3a510725979aabc721fed8d5ee1bcb77b671c965c738a63d426ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5891cb.TMP

Filesize
371B

MD5
d5c80be613c18c2a06a73f827520722a

SHA1
9847ae535af0e5dbb20c64e7150daeb3b822f0ed

SHA256
d075cf43ceae28dd4dbc5fdcf424c5795aabafaf59e2d34fa0c5b5ea9a27d466

SHA512
edb74d6a2fda1a4316d283f516ad00f3955cc3fb3ff4816af816026296c05f9b43b7f909742bc74de6846af73bb177757d1f5e63c797756378b035498d4eaacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39ae274898af6a954ff75865562ee752

SHA1
6a652cc1d0b3bf6c9d1b10a75b562dceee08362e

SHA256
198475d8e9607ec19fd50d248a91d32d66fa478f6cbd868108f2da9a6ebb586c

SHA512
19f17df918515adc0fd2e576bc246269c3ce7a6a1e69f8ee4ec418eb2847d055220585f565171c6c502eebea98801e5579e1a5309a8150abc1f2593fe565778b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dba61aa81e9f5d1e90513d7c2b6a5398

SHA1
8745f6f501d005358ba440b7e177505f4862bbf9

SHA256
45ea8ce36518ed49da66a35a70bbeb4bb9ae6c7b366d20e7c0fda21031d3f8f2

SHA512
fb4c64bdb30002bab6c7b5f38e06eee2fe0b65ccd5d376d0c9bb82795316510508d1102e1ce5aa336456d3dbc73555a4a9b73ec5d816082f0fede8e3d7987172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pra1wuxh.fvg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
\??\pipe\LOCAL\crashpad_4696_ZGBDYSOENDZDOLTL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1340-106-0x00000197B3AD0000-0x00000197B3AE0000-memory.dmp

Filesize
64KB

Download
memory/1340-96-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/1340-107-0x00000197B3AD0000-0x00000197B3AE0000-memory.dmp

Filesize
64KB

Download
memory/1340-111-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/1340-109-0x00000197B3AD0000-0x00000197B3AE0000-memory.dmp

Filesize
64KB

Download
memory/1524-6-0x000002466FCD0000-0x000002466FCE0000-memory.dmp

Filesize
64KB

Download
memory/1524-16-0x000002466FCD0000-0x000002466FCE0000-memory.dmp

Filesize
64KB

Download
memory/1524-5-0x000002466FCD0000-0x000002466FCE0000-memory.dmp

Filesize
64KB

Download
memory/1524-19-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/1524-4-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/1524-3-0x00000246702C0000-0x00000246702E2000-memory.dmp

Filesize
136KB

Download
memory/2716-132-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/2716-112-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/2716-113-0x0000022128B20000-0x0000022128B30000-memory.dmp

Filesize
64KB

Download
memory/2716-124-0x0000022128B20000-0x0000022128B30000-memory.dmp

Filesize
64KB

Download
memory/3100-78-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/3100-76-0x000002375EBF0000-0x000002375EC00000-memory.dmp

Filesize
64KB

Download
memory/3100-63-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/3100-64-0x000002375EBF0000-0x000002375EC00000-memory.dmp

Filesize
64KB

Download
memory/3100-65-0x000002375EBF0000-0x000002375EC00000-memory.dmp

Filesize
64KB

Download
memory/3700-62-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/3700-49-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/3700-0-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/3700-1-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/3700-2-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/4572-92-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/4572-32-0x0000000000D70000-0x0000000000D98000-memory.dmp

Filesize
160KB

Download
memory/4572-139-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/4572-34-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/4948-52-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/4948-51-0x000002879C970000-0x000002879C980000-memory.dmp

Filesize
64KB

Download
memory/4948-48-0x000002879C970000-0x000002879C980000-memory.dmp

Filesize
64KB

Download
memory/4948-47-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/4948-36-0x000002879C970000-0x000002879C980000-memory.dmp

Filesize
64KB

Download
memory/4948-35-0x000002879C970000-0x000002879C980000-memory.dmp

Filesize
64KB

Download
memory/5056-79-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/5056-95-0x00007FFBDA2C0000-0x00007FFBDAD81000-memory.dmp

Filesize
10.8MB

Download
memory/5056-93-0x000001B74B490000-0x000001B74B4A0000-memory.dmp

Filesize
64KB

Download
memory/5056-80-0x000001B74B490000-0x000001B74B4A0000-memory.dmp

Filesize
64KB

Download
memory/5056-81-0x000001B74B490000-0x000001B74B4A0000-memory.dmp

Filesize
64KB

Download