meduza | hxxps://github[.]com/Apietcsvmy/xeno-executor

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Apietcsvmy/xeno-executor

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

resource	yara_rule
behavioral1/memory/4928-316-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-312-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-311-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-309-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-322-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-321-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-318-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-317-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-315-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-310-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-330-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-331-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-335-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-334-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-346-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-345-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-342-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-341-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-376-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-388-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-387-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-382-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-381-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-394-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-393-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-390-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-389-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-378-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-375-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-370-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-369-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-363-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-360-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-358-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-354-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-352-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-351-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-348-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-347-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-364-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza
behavioral1/memory/4928-357-0x00000240D7690000-0x00000240D788A000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	camo.githubusercontent.com
36	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	api.ipify.org
95	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2032	cmd.exe
2888	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
2632	msedge.exe
2632	msedge.exe
1476	identity_helper.exe
1476	identity_helper.exe
4296	msedge.exe
4296	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
4928	321ae818-216c-48d3-a1f4-2557fd4e237e.exe
4928	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	Xeno.exe
Token: SeDebugPrivilege	4928	321ae818-216c-48d3-a1f4-2557fd4e237e.exe
Token: SeImpersonatePrivilege	4928	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4928	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2732	2632	msedge.exe	84
PID 2632 wrote to memory of 2732	2632	msedge.exe	84
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3024	2632	msedge.exe	85
PID 2632 wrote to memory of 3548	2632	msedge.exe	86
PID 2632 wrote to memory of 3548	2632	msedge.exe	86
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87
PID 2632 wrote to memory of 2384	2632	msedge.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	321ae818-216c-48d3-a1f4-2557fd4e237e.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Apietcsvmy/xeno-executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4e6546f8,0x7ffe4e654708,0x7ffe4e654718
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8891146156641761382,1874880016525130721,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6532 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5072

C:\Users\Admin\Documents\Last_Update\Xeno.exe
"C:\Users\Admin\Documents\Last_Update\Xeno.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332
- C:\Users\Admin\AppData\Local\Temp\ccbb156e-dd7f-4a5d-a3d7-04428fa219f4\321ae818-216c-48d3-a1f4-2557fd4e237e.exe
  "C:\Users\Admin\AppData\Local\Temp\ccbb156e-dd7f-4a5d-a3d7-04428fa219f4\321ae818-216c-48d3-a1f4-2557fd4e237e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ccbb156e-dd7f-4a5d-a3d7-04428fa219f4\321ae818-216c-48d3-a1f4-2557fd4e237e.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2032
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2888

C:\Users\Admin\Documents\Last_Update\Xeno.exe
"C:\Users\Admin\Documents\Last_Update\Xeno.exe"
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xeno.exe.log

Filesize
1KB

MD5
638ba0507fa15cd4462cdd879c2114fa

SHA1
f23dfc22ea05f6abb8f9aa11a855ef8f3c51d7f2

SHA256
f91ebecc8963ff1840636f0c2a8f5350beb6eebab8b7d99068ad0b19bcccb478

SHA512
23d440dc8ecfa6c43e89895de038c564bb5e09174a6818a5952d5d589296a6ae77e71a4fc5de3773a6bf27aebb69bdb670f2a2609cf8658668759b50dffc8520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dfde9c7684c5999b726cffba9ccf723e

SHA1
84e6f3babcf1d358ea19c1149159a0b99d67791e

SHA256
12ae8cea27c3512d076281127a0ccbf507d44cf0bf80e0e113aadc54993537f6

SHA512
84ba1dc5b02e0ffd859b611214c87051bd8e0063fbd0ba5f94c949e52b8c878e6353eab17141ffcc4298bcec3150c75a5f1136b29d5601a2e38bc2dd849e266b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
d87dc69a2c0a5927ae15fd1ecfd16e4a

SHA1
a666cc9d58206847cd5f863f8607f0bc8a6da1cb

SHA256
111833e1fb5e8646f875f76198bda5001a0ce4309aca4abb6cafcd803413fc50

SHA512
5a1889f4c329db8b675c5157e5dcf16f5be1f0a36cd0874f0ebad0d16cb48185721b638375072f93f16d849ed3997bf9d732dba44815d99cbac9b7ed22d78bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
ddc8f2b5c427e37fee15868fcf0b46aa

SHA1
c3d64548d2b03323556e90d08c263af63fc705a1

SHA256
378538ced574c1b8123c1b76b4ef644cda27a246e28427c84ae431c7216449e6

SHA512
d3ab48b0fdbabb50914618c477e59f173a3a8636c9b51b223f6dc092f5ce94f5fea2c52024142aecc8f1386f2fca93f24c1a94fe5d8ab553e34780eb64795f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
10338232841045e37d0651337c145852

SHA1
da9beebbab689287724bb2b32530bcfa5c0a118b

SHA256
aa5a9f4b425405b1a44ef20a045fef8510aa463a3da67fbf7b79780bfd65cf49

SHA512
f3cccd93b6e257e27c4d220ea89f5551e8614781e9baa5ec336970ab1bd93e7f39b50911f331803bcd107d4ffcf802b65bd6261c52cb58b90ec94823c3045ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
2bc5bcf212318c49bfeebfada7d95039

SHA1
6f776e1e9fb8eb26d5d7befa440e2fc9721b3e7d

SHA256
fa1c1f1195e8004b4b07f08e3b0c4748951edaf9a1a85bfe3a12e23a416ef43e

SHA512
407a989563232445f73f4bc3c34b1587ac86a398e4269b24f9ae29f16bb2bea38c411cc862af08253ecb885e41e7bd4be1b786d0c929bbf57db9c993f7c0e61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
744B

MD5
33da6ae9c0dad5b43b017c95e6c8e2ad

SHA1
fbd841c9256604b47650a099d49d2d60c74917b7

SHA256
2b0f787c1ee42251aab602ae95a7c7f92b9701f099ba399e6d3b1ec05c8bf49d

SHA512
be7ffb0898da575424c6c40e834b08eecc12e03305e31d6881d0840c3e4501dbf18b6783358b0dd15e404b49ef8ee72fd41e8caf388d664b8162b20e5ef3fb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5fa3a3f5c191b7ca5ac3921bde3985a

SHA1
de3ecff0f7290aa64d007989da5742b351e63240

SHA256
585effb748bead5cd3f68564e50ce64202cf7cc15d02bcc11745c746a00e33e9

SHA512
0d39025449a547c51d809c2bbe3364304d0e8ce16ce670ef5c36148bac21c8b8ba1d99a27bff7f9fe75966aa403db2dd227bdfd5f0059add9437400414ec752e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
307dc9e6afb88cdbd7da2175b0b72b87

SHA1
df9ecc33a96570bb1b6ed8542296ce6320a3c1a9

SHA256
d981abf6041aed58cedf2acf781204cdeb898bc49fe6e921d94ab0646f5f8e63

SHA512
a5e906375da5de010ff3174fd33915540b4d9ba88095bb377642a9ae2bde1a3f547f2195db891a3a18982d83d9367818c1ff5fae0f9134b618c06f628d638b60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0ebb8a69e6d1f55a03dd12eb707c9c3

SHA1
3c0616a5bbf8dff106f2444c5138d13912d16b90

SHA256
33a16298638567d30c61b9a0f16737c048c50befb9d8182e5d4697d5d0297e77

SHA512
acfec9dfb972c25e9e4f1d78ba4d8c2d998f194f9afe103c9fb41df134be1f5deef950d8e20e46eebcd2473afd1e73ade4f7de9bdc247b48e56fa31be24aa26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8110d690472e42d628292f6041a6b37

SHA1
99ec2b89b1d15b209838478b49178a950623ff36

SHA256
2d1d3695735eae5814ccec010db92500f2ba5a42b730a3945043f30a2078a32e

SHA512
13d0b576c4fe63dc3ea414033a19177f80167532a68f5fb9f5ce9f8109f7542f3f1e8472b038ac848bcf8ba47f5e67b185289d8d999f0222283e39df711de626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ed2f.TMP

Filesize
1KB

MD5
fa3d104f5f07758b06df12002ef06012

SHA1
652e927eb7576a340c23e2575eaf0480f453ca76

SHA256
67af8064628e7aa27e4f893120bfca245cf10e3dcc511f08961c1b452f022b3b

SHA512
f9333eb0075ac099975fcd342b31e9bd8a5c1b93fa1e3c1f3f05eb9338ff028780efce9b4609cac320c5c0fd8a945ffc55c4be0bce96adbda73e985c919d63a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
150ef4ae1e99b42987e2a7c063194175

SHA1
40056a97bcdab76b91841bfc03291150f4551d8c

SHA256
3652d1b30e65f3acd87b0dfa4e804bfbca035fa8a33fe955c15db6aa70367bce

SHA512
4bbb7e80c2ce0f3b82a40917a29734c257621f6f79bba5ecd90b35f72797f0d9888f8a5a49d6217e3d47b5f0ae6f8b57f14320820ece3aa051cdac84dac78ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
62eca54a6d9784642ff641bf464688d2

SHA1
c737ecd6bdc66a8ff025da8ee12d7db9ca36a877

SHA256
86bcf2d174c100bfba0f60cd8e8e1eda481fa151b4ce334bcc7bca25676ec318

SHA512
443b2e56749044ccb9d58086fa083b730cc08b09f0fd689da52d07b67fa222e3127bf03db35f5eb664db0e73c939e5a6ee4ee65ced79197d3b97a69ef7171730

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccbb156e-dd7f-4a5d-a3d7-04428fa219f4\321ae818-216c-48d3-a1f4-2557fd4e237e.exe

Filesize
3.2MB

MD5
831160fa50069e68d836381d8d793010

SHA1
596b3ce9c86f516f6b4e53693a33d9751e55d3ff

SHA256
e4734d69d67cf9bae175e61edcf2449458335ae0ac592a080ee7b2e2ccb61c2a

SHA512
c8031fc95ad21edacfa0dfecffb7df0bf590d22758e530a14e77dde0f03361aea5a18d32f888226fdbed10d18a9d4ad578ede8320e87d77f555eeabfaba8b0ee

Download Submit
memory/4332-293-0x000002B900000000-0x000002B901000000-memory.dmp

Filesize
16.0MB

Download
memory/4928-307-0x00000240D5BD0000-0x00000240D5BD1000-memory.dmp

Filesize
4KB

Download
memory/4928-387-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-321-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-318-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-317-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-315-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-310-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-330-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-331-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-335-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-334-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-306-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/4928-309-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-311-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-312-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-346-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-345-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-342-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-341-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-376-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-388-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-322-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-382-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-381-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-394-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-393-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-390-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-389-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-378-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-375-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-370-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-369-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-363-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-360-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-358-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-354-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-352-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-351-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-348-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-347-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-364-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-357-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download
memory/4928-316-0x00000240D7690000-0x00000240D788A000-memory.dmp

Filesize
2.0MB

Download