limerat | d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2023 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chr.exe
Size

66KB
MD5

50b2b692da0c363e301709a28b30afaf
SHA1

098e00413ba405bcc72b71a5869c2d151e93448a
SHA256

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
SHA512

d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
SSDEEP

1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x

Score

10^/10

limerat xworm microsoft persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

162.212.154.8:41589

Mutex

1fGBFdYzxtDnKgy4

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574

aes.plain

Extracted

Family

limerat

Attributes

aes_key
devil
antivm
false
c2_url
https://pastebin.com/raw/rPy10VvM
delay
3
download_payload
false
install
true
install_name
Windows Session Manager.exe
main_folder
AppData
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022cdb-24.dat	family_xworm
behavioral2/files/0x0009000000022cdb-31.dat	family_xworm
behavioral2/files/0x0009000000022cdb-30.dat	family_xworm
behavioral2/memory/884-32-0x0000000000320000-0x0000000000348000-memory.dmp	family_xworm

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	chr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	one.exe

Executes dropped EXE 2 IoCs

pid	Process
884	one.exe
2508	ses.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe"	chr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe"	chr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe"	one.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\one.exe	chr.exe
File opened for modification	C:\Windows\System32\one.exe	chr.exe
File created	C:\Windows\System32\ses.exe	chr.exe
File opened for modification	C:\Windows\System32\ses.exe	chr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5040	schtasks.exe
4308	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
884	one.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4108	powershell.exe
4108	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe
1700	powershell.exe
1700	powershell.exe
3924	msedge.exe
3924	msedge.exe
3016	msedge.exe
3016	msedge.exe
1700	powershell.exe
1700	powershell.exe
5512	powershell.exe
5512	powershell.exe
5512	powershell.exe
884	one.exe
884	one.exe
1140	identity_helper.exe
1140	identity_helper.exe
5908	msedge.exe
5908	msedge.exe
5908	msedge.exe
5908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	chr.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	884	one.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	5512	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	one.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4108	4160	chr.exe	92
PID 4160 wrote to memory of 4108	4160	chr.exe	92
PID 4160 wrote to memory of 5040	4160	chr.exe	94
PID 4160 wrote to memory of 5040	4160	chr.exe	94
PID 4160 wrote to memory of 884	4160	chr.exe	96
PID 4160 wrote to memory of 884	4160	chr.exe	96
PID 4160 wrote to memory of 2492	4160	chr.exe	98
PID 4160 wrote to memory of 2492	4160	chr.exe	98
PID 4160 wrote to memory of 4308	4160	chr.exe	99
PID 4160 wrote to memory of 4308	4160	chr.exe	99
PID 4160 wrote to memory of 2508	4160	chr.exe	101
PID 4160 wrote to memory of 2508	4160	chr.exe	101
PID 4160 wrote to memory of 2508	4160	chr.exe	101
PID 884 wrote to memory of 1144	884	one.exe	105
PID 884 wrote to memory of 1144	884	one.exe	105
PID 884 wrote to memory of 1496	884	one.exe	107
PID 884 wrote to memory of 1496	884	one.exe	107
PID 2508 wrote to memory of 3016	2508	ses.exe	110
PID 2508 wrote to memory of 3016	2508	ses.exe	110
PID 3016 wrote to memory of 2664	3016	msedge.exe	109
PID 3016 wrote to memory of 2664	3016	msedge.exe	109
PID 884 wrote to memory of 1700	884	one.exe	112
PID 884 wrote to memory of 1700	884	one.exe	112
PID 2508 wrote to memory of 1948	2508	ses.exe	114
PID 2508 wrote to memory of 1948	2508	ses.exe	114
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117
PID 3016 wrote to memory of 3124	3016	msedge.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\chr.exe
"C:\Users\Admin\AppData\Local\Temp\chr.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5040
- C:\Windows\System32\one.exe
  "C:\Windows\System32\one.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4308
- C:\Windows\System32\ses.exe
  "C:\Windows\System32\ses.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:1508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
      4⤵
      PID:5188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
      4⤵
      PID:6008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
      4⤵
      PID:6000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
      4⤵
      PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10495395363001090480,13648164820724558011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:1948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7b0b46f8,0x7ffe7b0b4708,0x7ffe7b0b4718
      4⤵
      PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe7b0b46f8,0x7ffe7b0b4708,0x7ffe7b0b4718
1⤵
PID:2664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
f4fa68625bf7b9878613211c139a334b

SHA1
efd8480d7ba9b6efb3112fcb7f9a1a0022e486df

SHA256
7a8192297fc29f8468edb5b646b8bf1c821d9acb77dfe1fde2a7772e6bf6dde9

SHA512
01432f6540d3bed6ddc514e7e2cc0409ee54fcbf536f2982eb990c680ace4db848aca93ef0dde4be61b6149f5b07da77196ad56b17391cbad528cdd49f659287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95c8d693074897bb58cb56925f2eaa9f

SHA1
87dce4a73f00e761e319a8b9f19e11c539352e0b

SHA256
2206ac4fe7afb88dbc90c1cbf071143f255f1af21229c45ce1bda7d0b1b0a356

SHA512
bdf33361fe90687a5fb4ca2ae8ab7230e94b68d617d51a2f9c1e3087c2448ad55387c32a7252aba6a76fad43c86726cda39fd1fe9ac2b61434e37205198351a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
267ed684c4f7987ba6bcd97854dd1443

SHA1
f7456ba6b93a9198686f350a3844f295d5e732af

SHA256
193ab88cd18a0ccb9d0c37820f7b3cfa013a8e50f4d6b05a96691d553436762c

SHA512
f11523edc0dc2a01f08711cf6341054d9e5585b4ce326c9feb2e374946115bff60a160de77f3cd213ff068c4a98e499d06c005e4f9fd91b904ee9474b5f508e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
51693ac28e823f651aabb633616d2ee9

SHA1
b76c3ea224370e423c57c44c2bd9966bf67169f8

SHA256
7e1866f78fe6a429812483e90309f5dcd27a4e3ef02cefe6778074db51966da5

SHA512
849773a299225049a8147724ac0e19e48284a431722d6f25045b5f467c36da8127c239e062204f4f9889820b31178038d36455524b6e63cf21ef4239c2e135f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58755a.TMP

Filesize
371B

MD5
07cb9c96ed9a032345d6fed6bd6f2706

SHA1
b69777e7bd9e822e5488a85baab2aaaf46e80334

SHA256
e5daec2bf88680dccf223b4b17ef5c9c6b9620cdbef79285c8815248a18267a7

SHA512
5dd62b080c2e89500cb09f08e44ebe1718e6701b558a79882351d2bc9deb833f9456d284e07f2bdb5b0de27919a96da777771f3fa72957d923a91c360c89bd68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b2e44b84fc54af418b779d001d74ab83

SHA1
168d4002ede408d221cd12f05c2e958e5ebe6ec5

SHA256
5dd854b9d42e1591a37bf629235114b1006f3d57448fa2c16e98d931af7ed0b2

SHA512
3d7388facb74d4df7ce0bd1da42a8703952be54ac4dc35ce5446c48cc5450e5f411c05e0f492162978b0bb82c2f8b86b313ad231016d9e46be602bdd413b4838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b84c1f5c0b40ca1a3b2972b98603b1d4

SHA1
d9c26813a0fa485005c4eb388985aa7aff4bc652

SHA256
145e4a308b3cb22dad30cc221832cb0ee47d6035829de504b1b0e9d9c09d8693

SHA512
49f2bee74d99bb42f59475188d01c29ce73520e24a178a428f85e99c2392472045facfd5050949b2e11f0ec3984e58f3a4dc41f7f2db323b240fe320db1f36dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65995df72c3e88a1d1d15c170b49d777

SHA1
fca702296954192da52b0f4bb51bca26bebe0e52

SHA256
3e74f281e83a0ce8b5d15d7cacae7e02e7773b1321ab53ad377437ef6ef78915

SHA512
5f8b488e3e12411f4db9e9c6f67bb384bd474065f659c4028fd12324c6db8440318a818716d83e589f8b7e10875df65348bac0e60ac7bb790b5430e94b746aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0093819c829dd30c13746f256efba97f

SHA1
f095cbb1d10a54a91d7d341c4098d44973d3ec50

SHA256
5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401

SHA512
72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
272dc716c99407615cc54be63824cd1e

SHA1
6aeeeee0a254473427af394b161c1020cf74ec0a

SHA256
0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

SHA512
5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4cg2sgu.0qv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
memory/884-33-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/884-293-0x000000001AF80000-0x000000001AF90000-memory.dmp

Filesize
64KB

Download
memory/884-216-0x000000001AF80000-0x000000001AF90000-memory.dmp

Filesize
64KB

Download
memory/884-32-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/884-92-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1144-62-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1144-77-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1144-75-0x0000024FD3510000-0x0000024FD3520000-memory.dmp

Filesize
64KB

Download
memory/1144-69-0x0000024FD3510000-0x0000024FD3520000-memory.dmp

Filesize
64KB

Download
memory/1144-63-0x0000024FD3510000-0x0000024FD3520000-memory.dmp

Filesize
64KB

Download
memory/1496-87-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1496-89-0x0000021CEDF10000-0x0000021CEDF20000-memory.dmp

Filesize
64KB

Download
memory/1496-90-0x0000021CEDF10000-0x0000021CEDF20000-memory.dmp

Filesize
64KB

Download
memory/1496-91-0x0000021CEDF10000-0x0000021CEDF20000-memory.dmp

Filesize
64KB

Download
memory/1496-94-0x0000021CEDF10000-0x0000021CEDF20000-memory.dmp

Filesize
64KB

Download
memory/1496-101-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1700-170-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1700-110-0x000001B8C0D10000-0x000001B8C0D20000-memory.dmp

Filesize
64KB

Download
memory/1700-109-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/1700-111-0x000001B8C0D10000-0x000001B8C0D20000-memory.dmp

Filesize
64KB

Download
memory/1700-145-0x000001B8C0D10000-0x000001B8C0D20000-memory.dmp

Filesize
64KB

Download
memory/1700-161-0x000001B8C0D10000-0x000001B8C0D20000-memory.dmp

Filesize
64KB

Download
memory/2492-49-0x0000021BF66C0000-0x0000021BF66D0000-memory.dmp

Filesize
64KB

Download
memory/2492-51-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/2492-35-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/2492-36-0x0000021BF66C0000-0x0000021BF66D0000-memory.dmp

Filesize
64KB

Download
memory/2492-37-0x0000021BF66C0000-0x0000021BF66D0000-memory.dmp

Filesize
64KB

Download
memory/4108-19-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/4108-16-0x000001E3FF2C0000-0x000001E3FF2D0000-memory.dmp

Filesize
64KB

Download
memory/4108-3-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/4108-5-0x000001E3FF2C0000-0x000001E3FF2D0000-memory.dmp

Filesize
64KB

Download
memory/4108-4-0x000001E3FF440000-0x000001E3FF462000-memory.dmp

Filesize
136KB

Download
memory/4108-6-0x000001E3FF2C0000-0x000001E3FF2D0000-memory.dmp

Filesize
64KB

Download
memory/4160-38-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/4160-0-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/4160-61-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/4160-2-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/4160-1-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/5512-172-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/5512-175-0x0000018562240000-0x0000018562250000-memory.dmp

Filesize
64KB

Download
memory/5512-186-0x0000018562240000-0x0000018562250000-memory.dmp

Filesize
64KB

Download
memory/5512-189-0x00007FFE80E40000-0x00007FFE81901000-memory.dmp

Filesize
10.8MB

Download
memory/5512-187-0x0000018562240000-0x0000018562250000-memory.dmp

Filesize
64KB

Download