Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/02/2025, 03:53

250207-efrtqsxpd1 10

07/02/2025, 03:51

250207-eerscayrhk 10

07/02/2025, 01:20

250207-bqhr2avpck 10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2025, 01:20

General

  • Target

    XWorm V6.0.exe

  • Size

    21.6MB

  • MD5

    ba23d65ef70b05cd3b04dfcbbd801059

  • SHA1

    5c241dc3d79f61bdf82d091bfe29bca2e641d802

  • SHA256

    0712085082841796a11be3e988c1cc131d1608809321683d4e4482363f616e0d

  • SHA512

    d32a4838ca544b9b4764bb99b716faf797aa194199151426a8848c1ed27b5f2428629324d30f15db138ff56d34d46233e3ef106ad416eff29de43eb8ade0eff9

  • SSDEEP

    393216:6JSgxj4gebngiHe2bD616QWBbdw6s8qaPNL1Zjo7YOiFSbzPQWrGMYV3j+cintc:4agiHe2n61Ub1fqY1Z8WSPFrlNHnt

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

WcpxqjjxSrB6UOUw

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

  • telegram

    https://api.telegram.org/bot7483240807:AAHWuUBi6sW9ZOb0kfXVbzbMVyLtPj-9vZY/sendMessage?chat_id=5279018187

aes.plain
aes.plain
aes.plain

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getM

Signatures

  • Detect Xworm Payload 6 IoCs
  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Stealerium family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 17 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V6.0.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V6.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4480
    • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1856
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5020
    • C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2292
    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      PID:3616
    • C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
      "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0008a5c-5fc3-4a6e-b0d6-15dccf223ae5.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2644
          • C:\Windows\system32\taskkill.exe
            taskkill /F /PID 220
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3352
          • C:\Windows\system32\timeout.exe
            timeout /T 2 /NOBREAK
            4⤵
            • Delays execution with timeout.exe
            PID:3392
    • C:\Users\Admin\AppData\Local\msedge.exe
      C:\Users\Admin\AppData\Local\msedge.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5076
    • C:\ProgramData\OneDrive.exe
      C:\ProgramData\OneDrive.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5100
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3280
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4604
      • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        1⤵
        • Executes dropped EXE
        PID:4952
      • C:\Users\Admin\AppData\Local\Temp\XWorm V6.0.exe
        "C:\Users\Admin\AppData\Local\Temp\XWorm V6.0.exe"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
          "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2080
        • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
          "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
          2⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4500
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:716
        • C:\Users\Admin\AppData\Local\Temp\msedge.exe
          "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
          2⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:5028
        • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
          "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
          2⤵
          • Executes dropped EXE
          PID:1928
        • C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
          "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2384
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1d2f11ab-8317-42e1-9dfd-6c048c1e6c45.bat"
            3⤵
              PID:1912
              • C:\Windows\system32\chcp.com
                chcp 65001
                4⤵
                  PID:4952
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /PID 2384
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4248
                • C:\Windows\system32\timeout.exe
                  timeout /T 2 /NOBREAK
                  4⤵
                  • Delays execution with timeout.exe
                  PID:4544
          • C:\Users\Admin\AppData\Local\msedge.exe
            C:\Users\Admin\AppData\Local\msedge.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\ProgramData\OneDrive.exe
            C:\ProgramData\OneDrive.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1912
          • C:\Users\Admin\AppData\Roaming\XClient.exe
            C:\Users\Admin\AppData\Roaming\XClient.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1448
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\TestRemove.mhtml
            1⤵
            • Enumerates system info in registry
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            PID:700
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7ff9539346f8,0x7ff953934708,0x7ff953934718
              2⤵
                PID:1204
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
                2⤵
                  PID:872
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
                  2⤵
                    PID:3912
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
                    2⤵
                      PID:1660
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                      2⤵
                        PID:544
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                        2⤵
                          PID:1428
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                          2⤵
                            PID:516
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                            2⤵
                              PID:324
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                              2⤵
                                PID:320
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,14327188372577785861,15140461853314225006,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
                                2⤵
                                  PID:1964
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4712
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4104

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V6.0.exe.log

                                    Filesize

                                    654B

                                    MD5

                                    2ff39f6c7249774be85fd60a8f9a245e

                                    SHA1

                                    684ff36b31aedc1e587c8496c02722c6698c1c4e

                                    SHA256

                                    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                    SHA512

                                    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                    Filesize

                                    2KB

                                    MD5

                                    d85ba6ff808d9e5444a4b369f5bc2730

                                    SHA1

                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                    SHA256

                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                    SHA512

                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    8ea156392347ae1e43bf6f4c7b7bc6ec

                                    SHA1

                                    7e1230dd6103043d1c5d9984384f93dab02500a6

                                    SHA256

                                    40b28bf59b3e2026ad3ebe2fecf464a03d7094fd9b26292477ad264d4efc1c75

                                    SHA512

                                    2479b86a9a31aa2f260ff6a1c963691994242ced728a27ffa2ee4e224945446a191bdb49ce399ec5a7d5d362499716133072e97d4253b5b4f09582d58b25144f

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    a7b5a5433fe76697fec05973806a648c

                                    SHA1

                                    786027abe836d4d8ff674c463e5bb02c4a957b70

                                    SHA256

                                    c8d623536ebdf5ffbefb84013d1c8ff5f853b59f1b09c80364c32b8ed5e4a735

                                    SHA512

                                    27be4c82e26468bbb9ce698ef305320f6cac46c953f88c714a0372fa524d098b9af2a87a88b14a134ff0f5f4b3d671902908622d2c7ec48e2c7bc458d7f5cc16

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    f77a8087e32d119170331049cd866425

                                    SHA1

                                    ad2aaba8ff163c98b1e19f04faca5ee10c52c613

                                    SHA256

                                    182e44c62ff967604af67df7f3cbb71055e86afdf0f0f81e892ff02f367c0cba

                                    SHA512

                                    2fb0aebce685812ab21987391cbc937afd8c98b4e87031f14a1bbe8ae199b171ec1e5cbdd75a6f5699c3c434f99780d1356bd4d958faeb2fdcfafbb842c89b33

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    3e96c64e25b8b855e4825432e5b2692c

                                    SHA1

                                    ddd87d45a5bf63bcee2846b711640f35d49a649d

                                    SHA256

                                    8a21b5aed4ac0b5f68e8c3bfc0bce211aa3f613cd3ba5e52fee1514aa2fdf327

                                    SHA512

                                    fb850f81ab4087750b9a17525bda67e1f427eea220af4f3e2b60a1e95cd4d8008b9cabf5ca0a72428de4a3c907f5f8ff1c20b822fa3d027779b0181c7d82ca6f

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    2b931fd5190b439cee36be1f2bd8960f

                                    SHA1

                                    5d765c9010ff91cbdf5de50e5d977e07cf65ec5c

                                    SHA256

                                    24bd1055cc25a491fe5cc0f788af01d7f08cc847fb2bfced91f5ab1f94c93b72

                                    SHA512

                                    3ade3e7f770489209fe677daecb4c32fc8b1338da3bd2d9d165964259d7bc60d6d8fecfbaa9c224f4cca67b3e274bea298d1e6d96cfdb8b25e6fa1189073f632

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                    Filesize

                                    264KB

                                    MD5

                                    f50f89a0a91564d0b8a211f8921aa7de

                                    SHA1

                                    112403a17dd69d5b9018b8cede023cb3b54eab7d

                                    SHA256

                                    b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                    SHA512

                                    bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    9c740b7699e2363ac4ecdf496520ca35

                                    SHA1

                                    aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

                                    SHA256

                                    be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

                                    SHA512

                                    8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    e60eb305a7b2d9907488068b7065abd3

                                    SHA1

                                    1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

                                    SHA256

                                    ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

                                    SHA512

                                    95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    dd1d0b083fedf44b482a028fb70b96e8

                                    SHA1

                                    dc9c027937c9f6d52268a1504cbae42a39c8d36a

                                    SHA256

                                    cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

                                    SHA512

                                    96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    98baf5117c4fcec1692067d200c58ab3

                                    SHA1

                                    5b33a57b72141e7508b615e17fb621612cb8e390

                                    SHA256

                                    30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                                    SHA512

                                    344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    15dde0683cd1ca19785d7262f554ba93

                                    SHA1

                                    d039c577e438546d10ac64837b05da480d06bf69

                                    SHA256

                                    d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                    SHA512

                                    57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    5cfe303e798d1cc6c1dab341e7265c15

                                    SHA1

                                    cd2834e05191a24e28a100f3f8114d5a7708dc7c

                                    SHA256

                                    c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

                                    SHA512

                                    ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    944B

                                    MD5

                                    77d622bb1a5b250869a3238b9bc1402b

                                    SHA1

                                    d47f4003c2554b9dfc4c16f22460b331886b191b

                                    SHA256

                                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                    SHA512

                                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                  • C:\Users\Admin\AppData\Local\Temp\1d2f11ab-8317-42e1-9dfd-6c048c1e6c45.bat

                                    Filesize

                                    152B

                                    MD5

                                    07c768f9b536c26fe3f9249961c08003

                                    SHA1

                                    1f5cac7ab345b5052d401d530b31b8bec31fd3d3

                                    SHA256

                                    91962757d48dc49530f289dccf32e06978c4ee78dbe78bad78782a357f8c0aa6

                                    SHA512

                                    6901f00dd8b018e427165e34e0826a19076fcdbf061e67b9ab36a11594a1dd1eb0f581de637f232ae339f92fb329d57d12f69cfeebc9304c23bb685d2837ad01

                                  • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

                                    Filesize

                                    153KB

                                    MD5

                                    8b8585c779df2f6df99f749d3b07f146

                                    SHA1

                                    b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

                                    SHA256

                                    4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

                                    SHA512

                                    b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

                                  • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

                                    Filesize

                                    140KB

                                    MD5

                                    a1cd6f4a3a37ed83515aa4752f98eb1d

                                    SHA1

                                    7f787c8d72787d8d130b4788b006b799167d1802

                                    SHA256

                                    5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

                                    SHA512

                                    9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

                                  • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

                                    Filesize

                                    14.9MB

                                    MD5

                                    56ccb739926a725e78a7acf9af52c4bb

                                    SHA1

                                    5b01b90137871c3c8f0d04f510c4d56b23932cbc

                                    SHA256

                                    90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

                                    SHA512

                                    2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjqydehy.b1u.ps1

                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  • C:\Users\Admin\AppData\Local\Temp\c0008a5c-5fc3-4a6e-b0d6-15dccf223ae5.bat

                                    Filesize

                                    151B

                                    MD5

                                    1e0448afe83629a311a4168bad422615

                                    SHA1

                                    4d0847f33422ee27f88ce6672efa745dea264f20

                                    SHA256

                                    6070146976857d2d07cb2a802b3471ee68d42406181dfb37152b1e4ccf2a922e

                                    SHA512

                                    feb275383eb3d9c852d87fd34d4c33024297fd135cd494bd7f1c07d040a356a0efd79b814fc11f704203e788105e19662fef0b35f5757acbce4d9bdf99ed6648

                                  • C:\Users\Admin\AppData\Local\Temp\msedge.exe

                                    Filesize

                                    166KB

                                    MD5

                                    aee20d80f94ae0885bb2cabadb78efc9

                                    SHA1

                                    1e82eba032fcb0b89e1fdf937a79133a5057d0a1

                                    SHA256

                                    498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

                                    SHA512

                                    3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

                                  • C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

                                    Filesize

                                    6.1MB

                                    MD5

                                    b3899dd5602b3587ee487ba34d7cfd47

                                    SHA1

                                    ace70e4fcea9b819eaf5bda4453866698252357f

                                    SHA256

                                    28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

                                    SHA512

                                    104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk

                                    Filesize

                                    677B

                                    MD5

                                    9fc7cd5d90ccee33fa151a611d7a170a

                                    SHA1

                                    ff5fcda7b869d66386cf9c221174e87798f02dd0

                                    SHA256

                                    73c75393916bea1bfd566d79c50aa455c254f3506ec8a65aca5f930e9ce52075

                                    SHA512

                                    d9d3a462186a6c1bfc3c700b1b855902bf0048ea60c40c0e6ed087436fb3934e27885ca3f494a76fa8c80b1f46f9771557177ca87353603cd1971463996d15e0

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                    Filesize

                                    771B

                                    MD5

                                    01530c3256f2babf0334c7b98804b3d6

                                    SHA1

                                    3742c17937ca7ae2f00b94175aa17f439d0c56da

                                    SHA256

                                    3d2222925194afc29075d03c5117314303068f633c828a7764e5fb2b7c9398d5

                                    SHA512

                                    c8e658ea9785c4773f72fb8efde31226f1c791aa71b2167bc4d4185dde6bc67361e9e65d0780a456509ea9b8c2890ddb1dde80c2609db25d31c9e75cfdfde86c

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

                                    Filesize

                                    961B

                                    MD5

                                    ba2178c82773cead5566ef7b8e30ba67

                                    SHA1

                                    cb043187970138664cdf9ee7d31617a7b0884dc1

                                    SHA256

                                    7c7a68732896890a791e1778254f2537abdb2d92c8bf714706b9de16daf0a204

                                    SHA512

                                    7bc4281f95db793d89eba2b4bb86f3187ba979a8f168961bb3809c483e5210bb2d77fa9282b8b7032000c9630d604978a2105ec06b555b2df40bc79bcba7dce0

                                  • memory/220-64-0x00000210990C0000-0x00000210996D6000-memory.dmp

                                    Filesize

                                    6.1MB

                                  • memory/1068-178-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/1068-32-0x0000000000970000-0x000000000099C000-memory.dmp

                                    Filesize

                                    176KB

                                  • memory/1068-38-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/1068-134-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/1068-168-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/2028-37-0x0000000000740000-0x000000000076E000-memory.dmp

                                    Filesize

                                    184KB

                                  • memory/2268-39-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/2268-198-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/2268-36-0x0000000000070000-0x0000000000098000-memory.dmp

                                    Filesize

                                    160KB

                                  • memory/2268-170-0x00007FF956F60000-0x00007FF957A21000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/3280-192-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-193-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-182-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-190-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-191-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-194-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-183-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-189-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-188-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3280-184-0x000001DA22580000-0x000001DA22581000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3296-0-0x00007FF956F63000-0x00007FF956F65000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/3296-1-0x0000000000F20000-0x00000000024B4000-memory.dmp

                                    Filesize

                                    21.6MB

                                  • memory/3476-74-0x000001FD190F0000-0x000001FD19112000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/3616-59-0x000001D689FB0000-0x000001D68AE98000-memory.dmp

                                    Filesize

                                    14.9MB