meduza | hxxps://github[.]com/thunder21wave/Xeno-Executor

Analysis

max time kernel
96s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/thunder21wave/Xeno-Executor

Score

10^/10

meduza collection discovery stealer

Malware Config

Extracted

Family

meduza

5.252.155.28

Attributes

anti_dbg
true
anti_vm
true
build_name
703
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 10 IoCs

resource	yara_rule
behavioral1/memory/5152-225-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5152-226-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5584-254-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5644-260-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5748-266-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5936-297-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/6000-303-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/6064-309-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/5844-331-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral1/memory/6072-348-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza

Meduza family
meduza

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	api.ipify.org
64	api.ipify.org

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 5152	2908	Xeno Executor.exe	125
PID 5552 set thread context of 5584	5552	Xeno Executor.exe	131
PID 5612 set thread context of 5644	5612	Xeno Executor.exe	133
PID 5716 set thread context of 5748	5716	Xeno Executor.exe	136
PID 5904 set thread context of 5936	5904	Xeno Executor.exe	138
PID 5968 set thread context of 6000	5968	Xeno Executor.exe	140
PID 6032 set thread context of 6064	6032	Xeno Executor.exe	142
PID 5840 set thread context of 5844	5840	Xeno Executor.exe	153
PID 6020 set thread context of 6072	6020	Xeno Executor.exe	157

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5224	NOTEPAD.EXE
1524	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
832	msedge.exe
832	msedge.exe
2376	msedge.exe
2376	msedge.exe
3824	identity_helper.exe
3824	identity_helper.exe
1760	msedge.exe
1760	msedge.exe
5152	Xeno Executor.exe
5152	Xeno Executor.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6064	OpenWith.exe
5352	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	5152	Xeno Executor.exe
Token: SeImpersonatePrivilege	5152	Xeno Executor.exe
Token: SeDebugPrivilege	5584	Xeno Executor.exe
Token: SeImpersonatePrivilege	5584	Xeno Executor.exe
Token: SeDebugPrivilege	5644	Xeno Executor.exe
Token: SeImpersonatePrivilege	5644	Xeno Executor.exe
Token: SeDebugPrivilege	5748	Xeno Executor.exe
Token: SeImpersonatePrivilege	5748	Xeno Executor.exe
Token: SeDebugPrivilege	5936	Xeno Executor.exe
Token: SeImpersonatePrivilege	5936	Xeno Executor.exe
Token: SeDebugPrivilege	6000	Xeno Executor.exe
Token: SeImpersonatePrivilege	6000	Xeno Executor.exe
Token: SeDebugPrivilege	6064	Xeno Executor.exe
Token: SeImpersonatePrivilege	6064	Xeno Executor.exe
Token: SeDebugPrivilege	5452	taskmgr.exe
Token: SeSystemProfilePrivilege	5452	taskmgr.exe
Token: SeCreateGlobalPrivilege	5452	taskmgr.exe
Token: 33	5452	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5452	taskmgr.exe
Token: SeDebugPrivilege	5844	Xeno Executor.exe
Token: SeImpersonatePrivilege	5844	Xeno Executor.exe
Token: SeDebugPrivilege	6072	Xeno Executor.exe
Token: SeImpersonatePrivilege	6072	Xeno Executor.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe
5452	taskmgr.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
6064	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe
5352	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2196	2376	msedge.exe	84
PID 2376 wrote to memory of 2196	2376	msedge.exe	84
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 1100	2376	msedge.exe	85
PID 2376 wrote to memory of 832	2376	msedge.exe	86
PID 2376 wrote to memory of 832	2376	msedge.exe	86
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87
PID 2376 wrote to memory of 4960	2376	msedge.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Xeno Executor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/thunder21wave/Xeno-Executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe3fda46f8,0x7ffe3fda4708,0x7ffe3fda4718
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12856332879768005842,15015675551068417783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:4516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3804

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2908
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5152

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5552
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5584

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5612
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5644

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5716
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5748

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5904
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5936

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5968
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6000

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:6032
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5452

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5840
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5844

C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
"C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:6020
- C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe
  "C:\Users\Admin\Downloads\Xeno.Executor\Xeno Executor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6064
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Xeno.Executor\loader.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5352
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Xeno.Executor\Serilog.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1dabfe4ecac332ef82afeb8877298d46

SHA1
9da5a2dac3f55e2a6c11b04aea4303ea4f048f77

SHA256
4f525b3efe0e3da91a0402fa8302520577032fbf00c47f16fd6f41e36cd46c72

SHA512
608f0147f2235d2077e975243d05cbabbfc64ebde5cfa8813a897e00d772b49251bb57cf24d9738b726fabbf1f932e2c2ac9a2062ef6a7dc5f7462e17bbb8ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
62c3893abe891c63a9064cb89040de78

SHA1
0adbeb66317b7d83f6d29b1c3113a0d67a2f5bf3

SHA256
b5f8a8286fe5ad7c52eea1c424ad3ece9acaa46e27bd39303c66e3b03094be01

SHA512
3cef21dcced6d859a419b41766308294634099fb6626c558e3150483b2fe2b288edf6622d52afdd01d9b532dbe181ff2ea58e7ef031dbc674087ef255459aa89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
5d9c9a19d5c1d6e60761e3d9e6f5eae1

SHA1
7070a8280603a8689b28ab19d149591d4028940b

SHA256
2d684436a99cd30fbbe4566897748c417d1c1fe1085d083f2475c1b439447e90

SHA512
4e8cb765fd4102cc53f69193d18e3e8c89d50180ea9f09dd3c1c0ea546665f167065fbefbf1194ebabeffbaebd8fb8f2d09b51a3413f79ae1e74ed127e519388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
8a5f607cd57c1d3e692cec3a92634dab

SHA1
549dc3e9df5ae6edc593155fc4c222d33089d180

SHA256
aa19d85b808132d0929d7e97347ea446087c7e2cb5a3e441f71e83bfee7c98d1

SHA512
2c812f7c7d758ad78565f52496d4482531cb0efe7e1b7942beba5b732a21d79a77e343138915a0770e8f0128b30e7cf9d312c5919be4f4500adcbbaa1f2cdd38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
665B

MD5
f1e1875e4484b4f4a6599ca5a32f07e3

SHA1
44f1dc7800f32260c86f267b59d5d2d3e6528805

SHA256
c54fdb273e621d8d60589a49d5280d6468365d94c4f53b48871c836b10d1531e

SHA512
a62ab1c00d6a56492741fe465a94672212161e9511d36387a560281f3f44cfb9d8c027ef69920ca5beaa674057922cb68afbb5c55a0fd9ce6995dea5e61fb138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1f2a6c5d3ab6c417338c5ae39515316

SHA1
91122e02d1bdcd1625098d74eb46477047cad499

SHA256
45b244a18a948ebcd2c4082af35ba16dd52e88c72a2a57e1c72b381ca639263a

SHA512
6d1db520e963046620e60f5879c60a4566ae5ba6b5711af1b895ca67b34213d431eb2dade5810029268b00db3bc9d974fc921c37508fb6b665b2fa0a5cb7bc0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1740847cd2045375b9fc51ada6eadbca

SHA1
c6e3f167f4f5df21c948af8b5bf3c7344bf91d48

SHA256
3770adf3fc6ea6c2a66d6dfc6488d50ff8afd7ed7755f855e493eddb9de1270b

SHA512
ed560bd41987815e377432a9d7f0d49091b2b4a7205cc8d236a841bd5520d6582fb7da2e8ca9cc2ed511cad132480adfd8d4f01cac45695bd7256d0d2d442aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dc748fd39e08066623adc7ec11dfb8e5

SHA1
4ca67edd961d3cd98d113ac1e340f342ff6ddb56

SHA256
bbb6530a252c95aa7a4e86a6e6699b53c1d5b317798b3582e41cc9a3ac5f0caf

SHA512
4dd392b5482feb9edf196bb04c75f6b2cd8484ef53203e58260e22229ea6ce519a0814f1ee23dea7475dba230aa8eec908ebe614b7428c927ddbf67ef433b9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0576ebcb95724eeee6a942748fb7b1be

SHA1
54c9cac40dfecde060337964e364c1ef45a0424c

SHA256
2dca810b132049a4e70590b67ddaedb2a8b3da185634f0526aa159f6e49fbaf6

SHA512
4cc2dea3dd4cb5c3a6f206996ce6fc594cfee97cfa01c534200e9002bf76540458f5f91807114c872575dc133ce70c6bba12a2aa818bf6405754e44208587f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcbfbf2d8ba1d6280f014d13647f88b6

SHA1
8cea3fed3b52dad2875d6d9a3e08decc251eeb9f

SHA256
f79fac6b849554ad8aef4c251bdbd2e897536b8ab04a35e7657b46b141eefbbe

SHA512
d03de268e71e781e0cbea91150cd7f39d4d6423d031236be52bd38b3d6ebb988fcb3387992bf7282ee8fe4cdbf5cda94039e33e9177636cc3f606a7438b8184e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db6260eafd6cc14781250f9d1e2a021b

SHA1
e11742d59235f652588e92efb0c0ab3d561802ac

SHA256
05ff496298b4dd9321da4e687548777b7222b695f804cba2f39527467b7d50c4

SHA512
b40833cc6c7ec97807ad788c5073734996b772c044940d345d377ac185d3317364c190766dd7250819f67ff5d9643ef4331e3e4bb11de2592d3db7bb16d58466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1b5.TMP

Filesize
1KB

MD5
3f5ec633e1b99483a11666ced62d62a1

SHA1
2291041e10db62b18e0fed484dce7864f357540e

SHA256
f3a8c59bf5ba573d302c7a7d3846c3e1f4ada255ca46ec96e091c20e7224dd46

SHA512
0d04c23cc74f880bde57645efb800644f510b9ff38444be61693508997080b6f11eecb8cc04d272345ebbb65d228e56a29122500afd687672f518e7f8d277720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1180db18c152d4bf45fa4041be437fa4

SHA1
d2c14fe80d3952e44fe03cf5556231ce2ab68bd6

SHA256
49695bcc694c36bf11aba9ba0a8bfa9585f1cf27a8f4c581c8636e62bbaa1f14

SHA512
446e56d10178bc7477da6fd9f85f2b5325f603065bf306e4121d316b0c33e7fd8deb70934dcae9eecc391b20a7c64a460aa787bba9c2765a43f835667680b78f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc194d429164050175cbb913dc947d11

SHA1
004b5364ea7290c85128b0eb830d7140d8e1b8e5

SHA256
1f781aca47a761c6c521eefe22051597be41010b359a242b81eac92fb3cb1a27

SHA512
296abc689b02633c1fd550ddcdf158a11ab3342b1b78a18d4e2572ac87fd26295c9609c6f26f91acbdb6b732f5baeea85f43bccaec62f94048f3bf12aef96e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d85e1766f56bfe346f54f9cc4706022

SHA1
cf388381498ee4f851022e13cda84b872ea34aa0

SHA256
94f2e10b2bae6da2baedbdccc6ff168bee4cdb78dc1c4be9356ec7ff9d4678a9

SHA512
64dcfb46df352d03580542b724209fa5b77dbf3fe88ec882dcf3f11fccd513188ebb5e3360d2f25aa43d806eb967ac196ae4db0035622e159ed1c3016bc4da74

Download Submit
C:\Users\Admin\Downloads\Xeno.Executor.zip

Filesize
1.8MB

MD5
5a2987a511847c072bcb66d62dd1dc8a

SHA1
73522773b5c549cc47138852fe78f1da49f6022f

SHA256
067b72ca55be449fb134be88a23708469b0114847c98108151b445b10dd83614

SHA512
917980ce186f70e1f0e72f6c8797e19013a2f2faa85e7b70788a265165f684d1610c8fbf2bda9d9078338c612d2bea842a53109254574e091970e41b008666f0

Download Submit
memory/2908-221-0x00007FF6F8020000-0x00007FF6F8021000-memory.dmp

Filesize
4KB

Download
memory/5152-226-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5152-225-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5452-311-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-321-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-317-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-318-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-320-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-310-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-312-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-319-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5452-316-0x000001F638040000-0x000001F638041000-memory.dmp

Filesize
4KB

Download
memory/5584-254-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5644-260-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5748-266-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5844-331-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5936-297-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/6000-303-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/6064-309-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/6072-348-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download