xworm | b2b6f755e9f8d67db3cb935366bce9332128724cc1289bf22a965b109a1bd1d9

Analysis

max time kernel
1712s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xbox.exe
Size

320KB
MD5

39c325147eefd81ff4a953df9584095b
SHA1

04677ae1dbce1f873d06a749a664cead2007b706
SHA256

b2b6f755e9f8d67db3cb935366bce9332128724cc1289bf22a965b109a1bd1d9
SHA512

02dc42aad55ac0f4d59caeaae2faab620bf9842f92c0b1fc61a68b38e5239a027c5b81cf20895f0bfaa79da1fa49850fb05e51d5c6e0409752024a7b6b7a289f
SSDEEP

6144:Io+H+GqLsquZEKWU7eTxeqAhOCvP2wfrkTi:IoDGKsqRKBCTXqjkTi

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603

Attributes

Install_directory
%ProgramData%
install_file
Onedrive.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234ba-6.dat	family_xworm
behavioral2/files/0x00070000000234c1-17.dat	family_xworm
behavioral2/memory/2468-25-0x00000000004B0000-0x00000000004E0000-memory.dmp	family_xworm
behavioral2/memory/1044-26-0x0000000000A00000-0x0000000000A2A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5504	powershell.exe
3644	powershell.exe
4756	powershell.exe
2584	powershell.exe
2092	powershell.exe
4488	powershell.exe
4772	powershell.exe
1148	powershell.exe
2680	powershell.exe
556	powershell.exe
764	powershell.exe
3028	powershell.exe
5716	powershell.exe
5520	powershell.exe
1196	powershell.exe
1408	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Runtime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Xbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Microsoft OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WindowsSecurity.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Onedrive.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Onedrive.lnk	Microsoft OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Onedrive.lnk	Microsoft OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime.lnk	Runtime.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Onedrive.lnk	Onedrive.exe

Executes dropped EXE 42 IoCs

pid	Process
2468	Microsoft OneDrive.exe
1044	WindowsSecurity.exe
6012	Runtime.exe
6016	Onedrive.exe
5460	Runtime.exe
4024	Onedrive.exe
3836	Runtime.exe
2356	Onedrive.exe
5680	Onedrive.exe
3092	Runtime.exe
5772	Onedrive.exe
2852	Runtime.exe
6036	Runtime.exe
5812	Onedrive.exe
3528	Runtime.exe
2432	Onedrive.exe
460	Onedrive.exe
4136	Runtime.exe
5604	Onedrive.exe
3876	Runtime.exe
3040	Runtime.exe
3372	Onedrive.exe
1268	Onedrive.exe
3028	Runtime.exe
2832	Onedrive.exe
212	Runtime.exe
1152	Onedrive.exe
888	Runtime.exe
1544	Onedrive.exe
3828	Runtime.exe
5480	Onedrive.exe
3012	Runtime.exe
5108	Onedrive.exe
4552	Runtime.exe
5616	Onedrive.exe
744	Runtime.exe
1036	Onedrive.exe
5740	Runtime.exe
2164	Runtime.exe
4912	Onedrive.exe
2352	Runtime.exe
3952	Onedrive.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime = "C:\\Users\\Public\\Runtime.exe"	WindowsSecurity.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Onedrive = "C:\\ProgramData\\Onedrive.exe"	Microsoft OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime = "C:\\Users\\Public\\Runtime.exe"	Runtime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Onedrive = "C:\\ProgramData\\Onedrive.exe"	Onedrive.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com
102	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId	CastSrv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6108	schtasks.exe
6100	schtasks.exe
320	schtasks.exe
5672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3644	powershell.exe
3644	powershell.exe
764	powershell.exe
764	powershell.exe
3644	powershell.exe
764	powershell.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
4772	powershell.exe
4772	powershell.exe
4772	powershell.exe
1196	powershell.exe
1196	powershell.exe
1408	powershell.exe
1408	powershell.exe
1196	powershell.exe
1408	powershell.exe
5412	msedge.exe
5412	msedge.exe
5504	powershell.exe
5504	powershell.exe
5504	powershell.exe
5716	powershell.exe
5716	powershell.exe
5716	powershell.exe
1148	powershell.exe
1148	powershell.exe
2584	powershell.exe
2584	powershell.exe
5520	powershell.exe
5520	powershell.exe
2092	powershell.exe
2092	powershell.exe
3028	powershell.exe
3028	powershell.exe
4488	powershell.exe
4488	powershell.exe
2680	powershell.exe
2680	powershell.exe
556	powershell.exe
556	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	Microsoft OneDrive.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	Microsoft OneDrive.exe
Token: SeDebugPrivilege	1044	WindowsSecurity.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	5504	powershell.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	2468	Microsoft OneDrive.exe
Token: SeDebugPrivilege	1044	WindowsSecurity.exe
Token: SeDebugPrivilege	6016	Onedrive.exe
Token: SeDebugPrivilege	6012	Runtime.exe
Token: SeDebugPrivilege	5460	Runtime.exe
Token: SeDebugPrivilege	4024	Onedrive.exe
Token: SeDebugPrivilege	3836	Runtime.exe
Token: SeDebugPrivilege	2356	Onedrive.exe
Token: SeDebugPrivilege	5680	Onedrive.exe
Token: SeDebugPrivilege	3092	Runtime.exe
Token: SeDebugPrivilege	2852	Runtime.exe
Token: SeDebugPrivilege	5772	Onedrive.exe
Token: SeDebugPrivilege	6036	Runtime.exe
Token: SeDebugPrivilege	5812	Onedrive.exe
Token: SeDebugPrivilege	2432	Onedrive.exe
Token: SeDebugPrivilege	3528	Runtime.exe
Token: SeDebugPrivilege	460	Onedrive.exe
Token: SeDebugPrivilege	4136	Runtime.exe
Token: SeDebugPrivilege	5604	Onedrive.exe
Token: SeDebugPrivilege	3876	Runtime.exe
Token: SeDebugPrivilege	3372	Onedrive.exe
Token: SeDebugPrivilege	3040	Runtime.exe
Token: SeDebugPrivilege	3028	Runtime.exe
Token: SeDebugPrivilege	1268	Onedrive.exe
Token: SeDebugPrivilege	2832	Onedrive.exe
Token: SeDebugPrivilege	212	Runtime.exe
Token: SeDebugPrivilege	888	Runtime.exe
Token: SeDebugPrivilege	1152	Onedrive.exe
Token: SeDebugPrivilege	1544	Onedrive.exe
Token: SeDebugPrivilege	3828	Runtime.exe
Token: SeDebugPrivilege	5480	Onedrive.exe
Token: SeDebugPrivilege	3012	Runtime.exe
Token: SeDebugPrivilege	4552	Runtime.exe
Token: SeDebugPrivilege	5108	Onedrive.exe
Token: SeDebugPrivilege	5616	Onedrive.exe
Token: SeDebugPrivilege	744	Runtime.exe
Token: SeDebugPrivilege	5740	Runtime.exe
Token: SeDebugPrivilege	1036	Onedrive.exe
Token: SeDebugPrivilege	4912	Onedrive.exe
Token: SeDebugPrivilege	2164	Runtime.exe
Token: SeDebugPrivilege	3952	Onedrive.exe
Token: SeDebugPrivilege	2352	Runtime.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2352	Runtime.exe
Token: SeDebugPrivilege	3952	Onedrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2468	2544	Xbox.exe	84
PID 2544 wrote to memory of 2468	2544	Xbox.exe	84
PID 2544 wrote to memory of 1044	2544	Xbox.exe	85
PID 2544 wrote to memory of 1044	2544	Xbox.exe	85
PID 2468 wrote to memory of 764	2468	Microsoft OneDrive.exe	98
PID 2468 wrote to memory of 764	2468	Microsoft OneDrive.exe	98
PID 1044 wrote to memory of 3644	1044	WindowsSecurity.exe	99
PID 1044 wrote to memory of 3644	1044	WindowsSecurity.exe	99
PID 1044 wrote to memory of 4756	1044	WindowsSecurity.exe	102
PID 1044 wrote to memory of 4756	1044	WindowsSecurity.exe	102
PID 2468 wrote to memory of 4772	2468	Microsoft OneDrive.exe	104
PID 2468 wrote to memory of 4772	2468	Microsoft OneDrive.exe	104
PID 1044 wrote to memory of 1196	1044	WindowsSecurity.exe	110
PID 1044 wrote to memory of 1196	1044	WindowsSecurity.exe	110
PID 2468 wrote to memory of 1408	2468	Microsoft OneDrive.exe	112
PID 2468 wrote to memory of 1408	2468	Microsoft OneDrive.exe	112
PID 3328 wrote to memory of 5144	3328	msedge.exe	116
PID 3328 wrote to memory of 5144	3328	msedge.exe	116
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5404	3328	msedge.exe	117
PID 3328 wrote to memory of 5412	3328	msedge.exe	118
PID 3328 wrote to memory of 5412	3328	msedge.exe	118
PID 3328 wrote to memory of 5492	3328	msedge.exe	119
PID 3328 wrote to memory of 5492	3328	msedge.exe	119
PID 3328 wrote to memory of 5492	3328	msedge.exe	119
PID 3328 wrote to memory of 5492	3328	msedge.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xbox.exe
"C:\Users\Admin\AppData\Local\Temp\Xbox.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Onedrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Onedrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5716
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Onedrive" /tr "C:\ProgramData\Onedrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6100
- - C:\Windows\SYSTEM32\CMD.EXE
    "CMD.EXE"
    3⤵
    PID:2176
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:5964
- C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5504
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime" /tr "C:\Users\Public\Runtime.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9f2d6668h9729h47cchab35h62bc1c5db16c
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd57eb46f8,0x7ffd57eb4708,0x7ffd57eb4718
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7124416451496143559,2643894475166577856,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7124416451496143559,2643894475166577856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7124416451496143559,2643894475166577856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:5492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5816

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5204

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
- Modifies registry class
PID:3316

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:2432

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5772

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5604

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5740

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\ProgramData\Onedrive.exe
C:\ProgramData\Onedrive.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Onedrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Onedrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Onedrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Onedrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Onedrive" /tr "C:\ProgramData\Onedrive.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5672

C:\Users\Public\Runtime.exe
C:\Users\Public\Runtime.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime" /tr "C:\Users\Public\Runtime.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b96e156ab5a4189ee66f10b61b1ea0ea

SHA1
f722b85bf953ade8deddb7e0ada82744e5338d48

SHA256
4a3e09cdeaf80f2b59b5feb32547fa2bacb4f4e1272415b4250236d7b243b1f1

SHA512
772e87361ebade116b8b5315c2332cf24107c1e955b8e20c846f67baca5d9c32db4b8d1ef5357a7f4ec6752317fb2a67a22821db8d3097a6f72818c4ab3cc244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6e1e6c3de0f07376a6620ad39d2475c6

SHA1
c9bb1381578435461487da108f810871982bb9ca

SHA256
0aefb244abbfcfd52c38c09125160964e790f490a38894134a7519bbad46d43c

SHA512
b010d2cc73442e191a692a1d91a377c2dadb36c1336280eb6bd8b2023ebf2e6f7899304c04066438732824c6df96b6767ed23cba7492cee1e3e74db454e65194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a4a983f3041e534fd0437ef18cc766f

SHA1
95b9588cbb6e2923a77be844f8fa0b89facef85e

SHA256
413948561f5e65d28641df742f64246dae04ed9a2b9657f1f810edf2d9c4ca7f

SHA512
f2deb4b030e09ecf72ac957f0f1cb77f03fa27578451bab12f932c2f4cdc8f9fa951271fca0a25eca35b2eec43a264d0010356c5248ab7274823aea5d86c6b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe

Filesize
166KB

MD5
cc351e8615d9d9a5fd9d47e9a121e860

SHA1
749de9231c48a22331856110657084256b263302

SHA256
ad1ea7cbd9d40b502b67d1e66c128e5cfac15b134e0ae7b39be03212f7bef6bf

SHA512
005cd2aa9fb144428694b2a440679ad312fcc29cc08c9e21cf57fc1e3e299ea3a8c17920660d500547e35045328b2790e86f6fea86b3f8100b2db323f412890c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsSecurity.exe

Filesize
142KB

MD5
8cf2d899e5413f0fdb6f4664fc529bf5

SHA1
863e9f32cf67da0ad74668bf7b078c9a97844d40

SHA256
ebf701c71239f7365dbad17d1f320eeebad44726da028f2b0ac6cb247b914d8e

SHA512
bc74658818feb7481fe4980b6ba2dcdbee4d1a2aca206b8552c7265fdca4aabd37294d729c5430b3e1302f4df2169b29cf6f7ae0c59e115fd40577a427b146b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbdxujlu.pwm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1044-28-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/1044-26-0x0000000000A00000-0x0000000000A2A000-memory.dmp

Filesize
168KB

Download
memory/1044-30-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/1044-234-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/1044-179-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/2468-25-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/2468-27-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/2468-178-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/2468-180-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/2468-193-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2468-235-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/2468-29-0x00007FFD5E170000-0x00007FFD5EC31000-memory.dmp

Filesize
10.8MB

Download
memory/2544-0-0x00007FFD5E173000-0x00007FFD5E175000-memory.dmp

Filesize
8KB

Download
memory/2544-1-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/3644-31-0x0000024E3DF50000-0x0000024E3DF72000-memory.dmp

Filesize
136KB

Download