limerat | d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chr.exe
Size

66KB
MD5

50b2b692da0c363e301709a28b30afaf
SHA1

098e00413ba405bcc72b71a5869c2d151e93448a
SHA256

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
SHA512

d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
SSDEEP

1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x

Score

10^/10

limerat xworm microsoft persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

162.212.154.8:41589

Mutex

1fGBFdYzxtDnKgy4

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574

aes.plain

Extracted

Family

limerat

Attributes

aes_key
devil
antivm
false
c2_url
https://pastebin.com/raw/rPy10VvM
delay
3
download_payload
false
install
true
install_name
Windows Session Manager.exe
main_folder
AppData
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022da4-25.dat	family_xworm
behavioral2/files/0x0008000000022da4-31.dat	family_xworm
behavioral2/files/0x0008000000022da4-32.dat	family_xworm
behavioral2/memory/2260-33-0x0000000000190000-0x00000000001B8000-memory.dmp	family_xworm

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	chr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	one.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	one.exe
3600	ses.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe"	one.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe"	chr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe"	chr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\one.exe	chr.exe
File created	C:\Windows\System32\ses.exe	chr.exe
File opened for modification	C:\Windows\System32\ses.exe	chr.exe
File created	C:\Windows\System32\one.exe	chr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4476	schtasks.exe
2652	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2260	one.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
880	powershell.exe
880	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
2804	powershell.exe
2804	powershell.exe
2288	powershell.exe
2288	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
112	msedge.exe
112	msedge.exe
1332	msedge.exe
1332	msedge.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
2260	one.exe
2260	one.exe
1768	identity_helper.exe
1768	identity_helper.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe
6064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	chr.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2260	one.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe
112	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2260	one.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 880	2336	chr.exe	91
PID 2336 wrote to memory of 880	2336	chr.exe	91
PID 2336 wrote to memory of 4476	2336	chr.exe	94
PID 2336 wrote to memory of 4476	2336	chr.exe	94
PID 2336 wrote to memory of 2260	2336	chr.exe	96
PID 2336 wrote to memory of 2260	2336	chr.exe	96
PID 2336 wrote to memory of 4648	2336	chr.exe	98
PID 2336 wrote to memory of 4648	2336	chr.exe	98
PID 2336 wrote to memory of 2652	2336	chr.exe	99
PID 2336 wrote to memory of 2652	2336	chr.exe	99
PID 2336 wrote to memory of 3600	2336	chr.exe	101
PID 2336 wrote to memory of 3600	2336	chr.exe	101
PID 2336 wrote to memory of 3600	2336	chr.exe	101
PID 2260 wrote to memory of 2804	2260	one.exe	103
PID 2260 wrote to memory of 2804	2260	one.exe	103
PID 2260 wrote to memory of 2288	2260	one.exe	104
PID 2260 wrote to memory of 2288	2260	one.exe	104
PID 2260 wrote to memory of 4120	2260	one.exe	106
PID 2260 wrote to memory of 4120	2260	one.exe	106
PID 3600 wrote to memory of 112	3600	ses.exe	108
PID 3600 wrote to memory of 112	3600	ses.exe	108
PID 112 wrote to memory of 1124	112	msedge.exe	109
PID 112 wrote to memory of 1124	112	msedge.exe	109
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 2252	112	msedge.exe	112
PID 112 wrote to memory of 1332	112	msedge.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\chr.exe
"C:\Users\Admin\AppData\Local\Temp\chr.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4476
- C:\Windows\System32\one.exe
  "C:\Windows\System32\one.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2652
- C:\Windows\System32\ses.exe
  "C:\Windows\System32\ses.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6f0c46f8,0x7ffb6f0c4708,0x7ffb6f0c4718
      4⤵
      PID:1124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
      4⤵
      PID:1184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:3200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
      4⤵
      PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
      4⤵
      PID:468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
      4⤵
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
      4⤵
      PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
      4⤵
      PID:1232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
      4⤵
      PID:5440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:3188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6f0c46f8,0x7ffb6f0c4708,0x7ffb6f0c4718
      4⤵
      PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8b694361-45d6-4707-8445-dc06616a85df.tmp

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
843f0f95f6bebbe6bca93e9be9034d9a

SHA1
753bc80da591db50e0f1f6d083904e54f9909ee4

SHA256
b4f8a32adee29a79c73a5b17bd001fff0694a5c6909215b5631e7d056c8a8c92

SHA512
414e41007521e802b0d0c0bbef45da6156489d66ca4eeae634666f563ca9d381c4bf5ebb8c90547d62b46a6d7c8cc25f5ed61a7591212b2e4f0496e6d69b5bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a29f695748c0f2e38f6b17902264b80

SHA1
73ecf6fa8b391c0bd7dd87d386abdd6912b6ce90

SHA256
bc91a0a917b62d35546883c7cc6684481496a6d7576340975f1bb9434e87dcd5

SHA512
0ff926a8af1c739f466217cf4b8eea0bdd616557e1fc5b785be70dbb6346a782136cc874f7eb24b39bf5d3dda59ad4284e48ace3f841f50345f1a24c6012398f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54b46fc473bb78a609e2b68d3c85c018

SHA1
5cc45362a97cfcce211c8954639ab099944780bb

SHA256
bd71c09b36ceb326a955c2a7c870fb791355adc44cd236b9211107e64f55b63d

SHA512
5c15ba07d5d4c755f771323ae6ed4c011bf3e420295b3ebd8d64486d2110d2fd1891d14a6aa4c3c9425cb424f8e70410eac08404c11d036c399fe8d34f23cdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
73c78361c185a6d37d16f323adbfccf0

SHA1
6572b6f9fa7b836c0364f721454a664e565af886

SHA256
37138930220f56284c491048baaf64b62e27247cba7737df8b5d4aed327caa57

SHA512
6c97582020e5071b82e49f6af6f5fe956a2921b268a92635f15e92c681669bad733f4c07e18ef59fe05d33524e01c26eeea30e32193b75be23f583250929a5bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581170.TMP

Filesize
371B

MD5
3daf02132d13b9a54e586bcba07b6f31

SHA1
15101b8fb2760e941b59cc305910726ce56eace0

SHA256
8f9982ba555667c8891a3bc28449a782ebac7e716825f9e47a439e3a59d3039c

SHA512
418c42a243bb554721c963840de295822bc31a5e105f87efddf4f7c10bdf257442957caf27ea26be26f1a7293b1dadc943e70c74bf9e6c64db4dc017608e0ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
178279334eae93a5ba614bfca426ad19

SHA1
1b4d9b38160a3f2f4f16e2db2ebc10a0845c95b0

SHA256
cc2bd79577cf9a6defb84f6f01097f9f9a8290e91c8696b8252be5cce28c2440

SHA512
729ddf8025bc06ab24107cba57b8ea6431b120fa7d85f1ad90fe5ad166fcb5cc95f445cecaa370e8fe4b7abfec567b2b4d6e09097da346f2041de201e45bb1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1d28a205bc145a6a07c6fe838abb94ed

SHA1
572c9899e82fb3729f78ec0acd976d87c7936557

SHA256
777628275b29b896ec5713ad48a1fb6893badc1908202a87aea4695911a05b3f

SHA512
a506921e233538a79ebf18769dece71ba0285a1d423055e6b73ef29600f2af6fd2f103b75380b953070045c9124b8991e2cca789c0ccdf788440a3c6be162c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nv33wd1i.m3v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
memory/880-20-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/880-14-0x00000203D9090000-0x00000203D90A0000-memory.dmp

Filesize
64KB

Download
memory/880-8-0x00000203D9980000-0x00000203D99A2000-memory.dmp

Filesize
136KB

Download
memory/880-13-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/880-15-0x00000203D9090000-0x00000203D90A0000-memory.dmp

Filesize
64KB

Download
memory/880-17-0x00000203D9090000-0x00000203D90A0000-memory.dmp

Filesize
64KB

Download
memory/880-16-0x00000203D9090000-0x00000203D90A0000-memory.dmp

Filesize
64KB

Download
memory/2260-90-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2260-33-0x0000000000190000-0x00000000001B8000-memory.dmp

Filesize
160KB

Download
memory/2260-34-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2260-284-0x000000001AE40000-0x000000001AE50000-memory.dmp

Filesize
64KB

Download
memory/2288-79-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-80-0x0000018CAF5C0000-0x0000018CAF5D0000-memory.dmp

Filesize
64KB

Download
memory/2288-93-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-0-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/2336-62-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-2-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2336-1-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2804-76-0x000001D7D7180000-0x000001D7D7190000-memory.dmp

Filesize
64KB

Download
memory/2804-63-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/2804-64-0x000001D7D7180000-0x000001D7D7190000-memory.dmp

Filesize
64KB

Download
memory/2804-65-0x000001D7D7180000-0x000001D7D7190000-memory.dmp

Filesize
64KB

Download
memory/2804-78-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/3940-180-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/3940-142-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/3940-143-0x00000292E9D80000-0x00000292E9D90000-memory.dmp

Filesize
64KB

Download
memory/3940-155-0x00000292E9D80000-0x00000292E9D90000-memory.dmp

Filesize
64KB

Download
memory/3940-144-0x00000292E9D80000-0x00000292E9D90000-memory.dmp

Filesize
64KB

Download
memory/4120-94-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-114-0x0000013A676B0000-0x0000013A676C0000-memory.dmp

Filesize
64KB

Download
memory/4120-95-0x0000013A676B0000-0x0000013A676C0000-memory.dmp

Filesize
64KB

Download
memory/4120-96-0x0000013A676B0000-0x0000013A676C0000-memory.dmp

Filesize
64KB

Download
memory/4120-108-0x0000013A676B0000-0x0000013A676C0000-memory.dmp

Filesize
64KB

Download
memory/4120-121-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-52-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-50-0x0000022FE6A40000-0x0000022FE6A50000-memory.dmp

Filesize
64KB

Download
memory/4648-49-0x0000022FE6A40000-0x0000022FE6A50000-memory.dmp

Filesize
64KB

Download
memory/4648-48-0x0000022FE6A40000-0x0000022FE6A50000-memory.dmp

Filesize
64KB

Download
memory/4648-47-0x0000022FE6A40000-0x0000022FE6A50000-memory.dmp

Filesize
64KB

Download
memory/4648-45-0x00007FFB736E0000-0x00007FFB741A1000-memory.dmp

Filesize
10.8MB

Download