limerat | eeff87f3b345b9b42f721cfdd82fa81e229c7599ef4a24d3af914e2740a7a44c

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2023 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231121-16-Lime-098e00.exe
Size

66KB
MD5

50b2b692da0c363e301709a28b30afaf
SHA1

098e00413ba405bcc72b71a5869c2d151e93448a
SHA256

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
SHA512

d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
SSDEEP

1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x

Score

10^/10

limerat xworm microsoft persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

162.212.154.8:41589

Mutex

1fGBFdYzxtDnKgy4

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574

aes.plain

Extracted

Family

limerat

Attributes

aes_key
devil
antivm
false
c2_url
https://pastebin.com/raw/rPy10VvM
delay
3
download_payload
false
install
true
install_name
Windows Session Manager.exe
main_folder
AppData
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\one.exe	family_xworm
C:\Windows\System32\one.exe	family_xworm
C:\Windows\System32\one.exe	family_xworm
behavioral32/memory/4408-32-0x0000000000570000-0x0000000000598000-memory.dmp	family_xworm

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

one.exe231121-16-Lime-098e00.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	one.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	231121-16-Lime-098e00.exe

Executes dropped EXE 2 IoCs

Processes:

one.exeses.exe

pid process

4408 one.exe
1996 ses.exe

pid	process
4408	one.exe
1996	ses.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

231121-16-Lime-098e00.exeone.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe"	231121-16-Lime-098e00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe"	231121-16-Lime-098e00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe"	one.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Detected potential entity reuse from brand microsoft.
phishing microsoft

flow	ioc
15	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

231121-16-Lime-098e00.exe

description	ioc	process
File created	C:\Windows\System32\one.exe	231121-16-Lime-098e00.exe
File opened for modification	C:\Windows\System32\one.exe	231121-16-Lime-098e00.exe
File created	C:\Windows\System32\ses.exe	231121-16-Lime-098e00.exe
File opened for modification	C:\Windows\System32\ses.exe	231121-16-Lime-098e00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1388 schtasks.exe
4496 schtasks.exe

pid	process
1388	schtasks.exe
4496	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

one.exe

pid process

4408 one.exe

pid	process
4408	one.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeone.exeidentity_helper.exemsedge.exe

pid	process
1524	powershell.exe
1524	powershell.exe
4360	powershell.exe
4360	powershell.exe
4020	powershell.exe
4020	powershell.exe
220	powershell.exe
220	powershell.exe
2608	powershell.exe
2608	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
232	msedge.exe
232	msedge.exe
392	msedge.exe
392	msedge.exe
4408	one.exe
4408	one.exe
3496	identity_helper.exe
3496	identity_helper.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

231121-16-Lime-098e00.exepowershell.exeone.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2940	231121-16-Lime-098e00.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4408	one.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

one.exe

pid process

4408 one.exe

pid	process
4408	one.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

231121-16-Lime-098e00.exeone.exeses.exemsedge.exe

description	pid	process	target process
PID 2940 wrote to memory of 1524	2940	231121-16-Lime-098e00.exe	powershell.exe
PID 2940 wrote to memory of 1524	2940	231121-16-Lime-098e00.exe	powershell.exe
PID 2940 wrote to memory of 4496	2940	231121-16-Lime-098e00.exe	schtasks.exe
PID 2940 wrote to memory of 4496	2940	231121-16-Lime-098e00.exe	schtasks.exe
PID 2940 wrote to memory of 4408	2940	231121-16-Lime-098e00.exe	one.exe
PID 2940 wrote to memory of 4408	2940	231121-16-Lime-098e00.exe	one.exe
PID 2940 wrote to memory of 4360	2940	231121-16-Lime-098e00.exe	powershell.exe
PID 2940 wrote to memory of 4360	2940	231121-16-Lime-098e00.exe	powershell.exe
PID 2940 wrote to memory of 1388	2940	231121-16-Lime-098e00.exe	schtasks.exe
PID 2940 wrote to memory of 1388	2940	231121-16-Lime-098e00.exe	schtasks.exe
PID 2940 wrote to memory of 1996	2940	231121-16-Lime-098e00.exe	ses.exe
PID 2940 wrote to memory of 1996	2940	231121-16-Lime-098e00.exe	ses.exe
PID 2940 wrote to memory of 1996	2940	231121-16-Lime-098e00.exe	ses.exe
PID 4408 wrote to memory of 4020	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 4020	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 220	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 220	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 2608	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 2608	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 4956	4408	one.exe	powershell.exe
PID 4408 wrote to memory of 4956	4408	one.exe	powershell.exe
PID 1996 wrote to memory of 232	1996	ses.exe	msedge.exe
PID 1996 wrote to memory of 232	1996	ses.exe	msedge.exe
PID 232 wrote to memory of 1308	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1308	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4696	232	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\231121-16-Lime-098e00.exe
"C:\Users\Admin\AppData\Local\Temp\231121-16-Lime-098e00.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4496
- C:\Windows\System32\one.exe
  "C:\Windows\System32\one.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1388
- C:\Windows\System32\ses.exe
  "C:\Windows\System32\ses.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb84246f8,0x7ffdb8424708,0x7ffdb8424718
      4⤵
      PID:1308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:4696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
      4⤵
      PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
      4⤵
      PID:1912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
      4⤵
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
      4⤵
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
      4⤵
      PID:2660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2880 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb84246f8,0x7ffdb8424708,0x7ffdb8424718
      4⤵
      PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
0255974c09d8f224f8394fa054116e35

SHA1
5c112376e6c76260cac8b609bb9d406d685c8c84

SHA256
897394b319ff86d26dc730dbd5d1f6e292425252ca11819430deb016fba1d453

SHA512
438f7af776b3165f7ce0722bb696f5f4e9da5f2a0920cb79d28d7a16aa02d38d8c46494e71947ca192b468aa1706da2171b6b785448f87ad424e269c7b4eda92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
61bcfefe304e878c3a4215a2e336aedd

SHA1
9b5ed5b5ff1cfd88e2d7f78a3ee4c2c2f4327585

SHA256
405269611eac974bd0269a71777dcbd1c05ace39a3e9a949075e0b19d3e082ca

SHA512
59c8ac8b1c5d69ae3c070e81a120f1b2d97f0f66ff77941e700aa84bbdd6485ccf0833ee17454ba465b650115e282de813119bb649cfff4da99f9d4fe51f6286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c37df17f6bb11be9791ae11b43768d0

SHA1
6f30f7301760cc3d8dcd85ffb1a924f1cf9c2421

SHA256
e466357f2ffac87f6a8708c7f247ebf64a37a34a1661060a552d1aa1d4904a4f

SHA512
0b37aa205c0e77d17eda013365c83e69a8a1383a6be12d29cd2eaea97a3eae5443992741ac69ba272cf555f3bd747db439ad38eb26683add483a56824552c6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63849645ccdbf32c41f37ee376d1e907

SHA1
4abec647c3658ba40b7a23bfd5497ceb79dd0b78

SHA256
bcf5abb647c34deebe8724b9986d96f7f1d145593a51aa6461e81c50d6172fca

SHA512
0ccd101566d2233fa1c9846890f0c4b777ef10451cec9d3807e9f5058bffdca28a846ec2af3722f248d344da099ea67fd277e4076baffc5e9f413c943e0128b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9ca4d0dc89dd44713448e00fa997efb8

SHA1
fbdc4c46b7641be331c6d7c4b54df4959b887dba

SHA256
e87a00c93c0be1cd04924ecdc7fd50a4a06004afc8bc6db1c98e0033792e0060

SHA512
86a6b9b0d6fc1d5ac569381fcd0b73267500c90987006761696abd4d0cadc7b8ed0fdebc1eb7afb0def8c6af1cf0c5d15600699bdd51b9af36ed465bd5394db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584e4a.TMP

Filesize
371B

MD5
e3ece777cba830c6b451e393e162c1cd

SHA1
3e36b049c407b392f95c38e5c8cfde7a1425dc97

SHA256
fd2e7cfc2180e46f12291ad841ad2df16861ebdb3383ef56233b21c73b0a2251

SHA512
6a8d36458e90482891dd8e015ec4b34e9dfe861041d244cd0073b3c79feeaaebcbe2180a1ca486afc1f6d751ede72f9ed89ff803f986467eee0938df32888323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1d45d79bd0fc27893833e32f69a4cc43

SHA1
6e6de4336fd4508287b312b1bbe46e29de8ab963

SHA256
84448fad89811e6b1e74f5963f805da8ae0ca2e9afafdcfceb5b4c692cce7f77

SHA512
8b4fc410fe1073879f885683e3b9389df02cb6aa71663a464234e16313a69e7638f7c5ff40db4bf49cceb371621b50ac5c596c7a103cb4266ae7816353e9fb22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf3651a8682259b5e292b98289271f76

SHA1
4694a32734c377985dafbd15e26b9a129f1e4a45

SHA256
5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575

SHA512
d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9293ef980c925abe33d940554ed8575

SHA1
9b6d85f2595f7fd4923f52b21ab7607279066969

SHA256
8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

SHA512
2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpap4edi.zzg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\one.exe

Filesize
142KB

MD5
2f2fed589cef6c6973db3dd854a6ba13

SHA1
6a121feaa70814260efcc50a0b48696cd0cf570e

SHA256
1d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36

SHA512
c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
C:\Windows\System32\ses.exe

Filesize
28KB

MD5
ab9502a920271fd1cf060f388a45fcd0

SHA1
c7292f1d76eae037d3ea5dbbc171eee21bc944d8

SHA256
e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787

SHA512
7fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452

Download Submit
\??\pipe\LOCAL\crashpad_232_NWPRJIPXINGCDQLW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-88-0x0000029650170000-0x0000029650180000-memory.dmp

Filesize
64KB

Download
memory/220-94-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/220-87-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/220-90-0x0000029650170000-0x0000029650180000-memory.dmp

Filesize
64KB

Download
memory/220-91-0x0000029650170000-0x0000029650180000-memory.dmp

Filesize
64KB

Download
memory/1524-19-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/1524-16-0x0000029929310000-0x0000029929320000-memory.dmp

Filesize
64KB

Download
memory/1524-15-0x0000029929310000-0x0000029929320000-memory.dmp

Filesize
64KB

Download
memory/1524-14-0x0000029929310000-0x0000029929320000-memory.dmp

Filesize
64KB

Download
memory/1524-13-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/1524-12-0x00000299292D0000-0x00000299292F2000-memory.dmp

Filesize
136KB

Download
memory/2608-95-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/2608-107-0x000001E3AB650000-0x000001E3AB660000-memory.dmp

Filesize
64KB

Download
memory/2608-109-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/2608-105-0x000001E3AB650000-0x000001E3AB660000-memory.dmp

Filesize
64KB

Download
memory/2940-1-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/2940-50-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/2940-2-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/2940-0-0x0000000000030000-0x0000000000046000-memory.dmp

Filesize
88KB

Download
memory/2940-62-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/2940-46-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4020-72-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4020-77-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4020-74-0x00000298569C0000-0x00000298569D0000-memory.dmp

Filesize
64KB

Download
memory/4020-73-0x00000298569C0000-0x00000298569D0000-memory.dmp

Filesize
64KB

Download
memory/4360-35-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4360-36-0x000002A946360000-0x000002A946370000-memory.dmp

Filesize
64KB

Download
memory/4360-48-0x000002A946360000-0x000002A946370000-memory.dmp

Filesize
64KB

Download
memory/4360-52-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4360-49-0x000002A946360000-0x000002A946370000-memory.dmp

Filesize
64KB

Download
memory/4408-290-0x0000000001800000-0x0000000001810000-memory.dmp

Filesize
64KB

Download
memory/4408-180-0x0000000001800000-0x0000000001810000-memory.dmp

Filesize
64KB

Download
memory/4408-33-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4408-32-0x0000000000570000-0x0000000000598000-memory.dmp

Filesize
160KB

Download
memory/4408-93-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4956-129-0x00000212C8200000-0x00000212C8210000-memory.dmp

Filesize
64KB

Download
memory/4956-111-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download
memory/4956-112-0x00000212C8200000-0x00000212C8210000-memory.dmp

Filesize
64KB

Download
memory/4956-113-0x00000212C8200000-0x00000212C8210000-memory.dmp

Filesize
64KB

Download
memory/4956-156-0x00007FFDA8D40000-0x00007FFDA9801000-memory.dmp

Filesize
10.8MB

Download