xenorat | hxxps://file[.]io/ahrOqjIyD4Fb

Analysis

max time kernel
18s
max time network
40s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24/11/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/ahrOqjIyD4Fb

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

192.168.0.237

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
8888
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00260000000451a6-218.dat	family_xenorat
behavioral1/memory/6404-369-0x0000000000430000-0x00000000004AC000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124215229.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6d298f9d-1a98-4b5a-aed1-70a39a3e11a2.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Superposition Bookcase (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 599922.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
1048	msedge.exe
1048	msedge.exe
5472	msedge.exe
5472	msedge.exe
6828	identity_helper.exe
6828	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe
1048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4596	1048	msedge.exe	81
PID 1048 wrote to memory of 4596	1048	msedge.exe	81
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 4016	1048	msedge.exe	82
PID 1048 wrote to memory of 436	1048	msedge.exe	83
PID 1048 wrote to memory of 436	1048	msedge.exe	83
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84
PID 1048 wrote to memory of 2532	1048	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/ahrOqjIyD4Fb
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff88fe746f8,0x7ff88fe74708,0x7ff88fe74718
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8632 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9768 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9884 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10276 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8620 /prefetch:8
  2⤵
  PID:6596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:6616
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff71a9e5460,0x7ff71a9e5470,0x7ff71a9e5480
    3⤵
    PID:6568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:6860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:6868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10776 /prefetch:1
  2⤵
  PID:7140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10176 /prefetch:1
  2⤵
  PID:6488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:6596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1843980106894407068,4657180427439910220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:6348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

C:\Users\Admin\Desktop\Superposition Bookcase (1).exe
"C:\Users\Admin\Desktop\Superposition Bookcase (1).exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6404

C:\Users\Admin\Desktop\Superposition Bookcase (1).exe
"C:\Users\Admin\Desktop\Superposition Bookcase (1).exe"
1⤵
PID:7004

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:6376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63716c70d402b580d244ae24bf099add

SHA1
98a3babcd3a2ba832fe3acb311cd30a029606835

SHA256
464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233

SHA512
dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f09e1f1a17ea290d00ebb4d78791730

SHA1
5a2e0a3a1d0611cba8c10c1c35ada221c65df720

SHA256
9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167

SHA512
3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3142867bfdac73940ad3f44707d4ae0

SHA1
4689ca6d45f797ca30b6a86f14cf2b74e53926d1

SHA256
a18d3c644c895cc0879d3f1e3b31429e4c5e927efa17019ea10e90b0c01975b1

SHA512
c9908c471ec3b801d90de2146e3c897a77a7c93493e357267e86b20b81ce6a58751cf9c97a042fcb527fd234b88647a3d9c781d565842f54f8e5affd1638b968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
f049de2592d2bfc278ccd28bf75835eb

SHA1
5d9a4d8929d3129c1e48beff4e642eafc8ca7933

SHA256
a7a75d83933a35d67306bdbaa629bf543154054b26d16e891dba5f251ac55b44

SHA512
7115067eea9134a521b5ec95e6c4f006f2804f8e4dd69363212c690c70f395c43f298a9dd68a3ef58637b60fe30140b09f69f664d1af87107be8d562d89d81c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
d10949a470f90b473ac26ddcf8135dd1

SHA1
3dac99a48022ef75d42b0d9f2984fedcf6d1c776

SHA256
05e10e1bee513f9264b5a5c14c6cbce18cb91b53592f59af1617b70753d4e5cb

SHA512
f6746fae6c7ea058dc507730f8f904d8b4397300e2c499354af77bd828802dcafac048b12c947f842e257d371d60c1527ea4bb5766fbba7aa16987d0a5090b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
aa10f656cc16d036a580048ba0bdac0b

SHA1
52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c

SHA256
166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d

SHA512
748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ee8e616a03201ab31e032c60a6d81b15

SHA1
4fa72ee1a3ed74f7798b3b58cabe174c675adc12

SHA256
2d77f4c62538359ca9c795a3be97c3817adb7954e004fe4b85cfffbf216f64c7

SHA512
97640f1aec0c917ca0bdda6f0228eff1d4274d2d681c73206be660697d3a7fefbdeeda23d6e3fa853228be633b4988e543a41f84bd027493c7d633089c863151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de5c6ecf54f7d242687d00c1375552f0

SHA1
b5fe55ce9995f32e3f32413e27fdce1ff9cdf3ac

SHA256
9647cbea6ecc2012addd586af9f438191a487166cab54747b0c63f992dc9896c

SHA512
a6a08b2a83ba03797c97fad4e928219977a53cb32a35565f5d9b6cd7cd6d84dbc4c78ffe47857f85d8b5ed97a2bbe046a8cc55b89711c3d82329dadabf381034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a120d58007a737a73cac34330a114edd

SHA1
a539ee8a3f79598a6636f489f7645f09b36c30b7

SHA256
3fb839a66d3d80caf61198ef7fdde4fbdc1d5768e60635d9ac44eef3aa17ba94

SHA512
5e75a3e31d6a0b4228c5f1906bc8496191a084042cb95acb03e2c35adbb405ac53dc3f7c878b3496022ed62f69bd03ba8d89841303c99b5145b2f0cec9608364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3a9326f8dd39fa04a5af68bdd36e258c

SHA1
f7509c0a60e6cd3f0bcebcb1ef12795f3bc9017d

SHA256
4b9093aa6c694b5bb178d00888f16556ce37971e34515a21b258eb950fa7eadf

SHA512
957eb8401a5be15f0dc97c1421ec07e3899ad31d2037089a815d7bb3de212987a8d33ab86cf77aea3480a4fa38b065f3ffd4def7294d207c7a4019b9dc9725a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
430ffac6792f2c1bd67a0c47b24aef04

SHA1
b6bb0a10d167275e6cd69ee9317ad54a8a2c7435

SHA256
455f3c60c58963c148dfd50611e637c88ec4561ff6de2456283b0cc79ed21bbf

SHA512
1a4fe2e043cab7612005c63197036cab403943e6e620f869036c25d90cb932d6a529afa27014e12326a5352f5fe1cd4c045529924d041c20fa111b92a1739170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fe7d2cbeae8c52317629b276536c463b

SHA1
209d95bde503a3ac2cb7a45fff3e90b4cd31dd60

SHA256
7a9f9d9bb17c856fbbb017e6275f562b4ac64360be6dfc16f3c00d962c664990

SHA512
84a7128e56883592e65216fd4400b0a8578c7fe17932d3c7496684a5fb7ec72903f53c6d7f1d37b45fa665d02101b39b53628c88a2910652d93512a1d9a0e493

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
982143b73e4a6f1c852c545cb7f8dd06

SHA1
7dee0635d4b7fd50b2ce316ccad4e7bf9803c39a

SHA256
d9bd520f462dcd5a5aecd6a9b0792045c18c477556f3a8a11d08729483db105f

SHA512
7f04786924520d9b5d67cc7ea8f50130ef560754853535bc6719ddc387eda4a10c13438e5dc6308e35aa4321036fe51060a8ffa63c6258853692e77f85db7bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0a0ef4c4a1d167a69cff19c4bc1aa563

SHA1
3221b73f12a2a97ba284ca548e3d67712d249370

SHA256
18fce144ce7474ab2a56f798e2fc823c0fded0d27346daf71e05d9a5b31033f2

SHA512
661a06860aeddf3a70ad8e57262d1e33fc66be2959ea89fa3de00c1d82d0c26ee6d08cc01439055bc547c6593dc4c3af42634c6552f3e7fa6ecaa2fceb81bb9e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 599922.crdownload

Filesize
468KB

MD5
db35935944e3ba5d60cb1a38b9675d19

SHA1
e68f0f2a163460c2ed58861f2aa01de701e6f52a

SHA256
3855cba57d15601b025e00b33d0b1f7bb3f5c5d0163fdec2d3cfbf362679ec97

SHA512
e402c4d5d8cd1dd2e7970ad00f9b6a74bb3e56fbd01d94d546a27d0b6d8a9727829accca3312f5e899b8c75235b378f485e7a1c1975505da53856731df910c6d

Download Submit
memory/6376-439-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-440-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-441-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-451-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-450-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-449-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-448-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-447-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-446-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6376-445-0x000001ED5DA20000-0x000001ED5DA21000-memory.dmp

Filesize
4KB

Download
memory/6404-369-0x0000000000430000-0x00000000004AC000-memory.dmp

Filesize
496KB

Download