xworm | hxxps://easyupload[.]io/ljjro8

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://easyupload.io/ljjro8

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

question-salad.gl.at.ply.gg:44041

127.0.0.1:44041

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d8c-270.dat	family_xworm
behavioral1/memory/7068-272-0x0000000000D70000-0x0000000000D84000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 5 IoCs

pid	Process
7068	Xmega.exe
5648	Xmega.exe
6756	Xmega.exe
2128	Xmega.exe
5068	Xmega.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1968	msedge.exe
1968	msedge.exe
5096	identity_helper.exe
5096	identity_helper.exe
6020	msedge.exe
6020	msedge.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	6816	7zG.exe
Token: 35	6816	7zG.exe
Token: SeSecurityPrivilege	6816	7zG.exe
Token: SeSecurityPrivilege	6816	7zG.exe
Token: SeDebugPrivilege	7068	Xmega.exe
Token: SeDebugPrivilege	5648	Xmega.exe
Token: SeDebugPrivilege	6756	Xmega.exe
Token: SeDebugPrivilege	2128	Xmega.exe
Token: SeDebugPrivilege	6392	taskmgr.exe
Token: SeSystemProfilePrivilege	6392	taskmgr.exe
Token: SeCreateGlobalPrivilege	6392	taskmgr.exe
Token: 33	6392	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6392	taskmgr.exe
Token: SeRestorePrivilege	2716	7zG.exe
Token: 35	2716	7zG.exe
Token: SeSecurityPrivilege	2716	7zG.exe
Token: SeSecurityPrivilege	2716	7zG.exe
Token: SeDebugPrivilege	5068	Xmega.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
6816	7zG.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe
6392	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3844	1968	msedge.exe	84
PID 1968 wrote to memory of 3844	1968	msedge.exe	84
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 984	1968	msedge.exe	85
PID 1968 wrote to memory of 1168	1968	msedge.exe	86
PID 1968 wrote to memory of 1168	1968	msedge.exe	86
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87
PID 1968 wrote to memory of 3640	1968	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://easyupload.io/ljjro8
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff22d746f8,0x7fff22d74708,0x7fff22d74718
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7528 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8248 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:6400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:6408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9068 /prefetch:1
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
  2⤵
  PID:6424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17193583371310981242,10943400391732453179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\xmega\" -spe -an -ai#7zMap14061:72:7zEvent12537
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6816

C:\Users\Admin\Downloads\xmega\Xmega.exe
"C:\Users\Admin\Downloads\xmega\Xmega.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7068

C:\Users\Admin\Downloads\xmega\Xmega.exe
"C:\Users\Admin\Downloads\xmega\Xmega.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Users\Admin\Downloads\xmega\Xmega.exe
"C:\Users\Admin\Downloads\xmega\Xmega.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6756

C:\Users\Admin\Downloads\xmega\Xmega.exe
"C:\Users\Admin\Downloads\xmega\Xmega.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6392

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\xmega\" -spe -an -ai#7zMap2989:72:7zEvent14845
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\Downloads\xmega\Xmega.exe
"C:\Users\Admin\Downloads\xmega\Xmega.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xmega.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c9b7e612ef21ee665c70534d72524b0

SHA1
e76e22880ffa7d643933bf09544ceb23573d5add

SHA256
a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

SHA512
e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f4a0b24e1ad3a25fc9435eb63195e60

SHA1
052b5a37605d7e0e27d8b47bf162a000850196cd

SHA256
7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

SHA512
70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c896d9067b3deb4f252254e54728b55e

SHA1
8ac9e92abda3e87f1b2369c9e5a0be15e06e967a

SHA256
1a9c24fbfcbe11083b561c253618409547b83416a38271fe79a4cf03e069d093

SHA512
e32d7281aa6f1f9e7ecab6cb34485b551284666e92434089778623ebf052355210cfefc590959e2b291fa6cfcac922f00d435942cea9b6d1838bd89cd550163f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
eb98c63becf3d673a4d0730115315315

SHA1
3b95fceaa8c57daad4c2a1320898097a95c86324

SHA256
273c9573a2080c0205242f5957b268f24e16d0fa0ca7ebd339c7edfaa5c68969

SHA512
eba9d0ab665238e333ce7b950e45f88d2ad55cf2793b987b1f33d484ad25eef8811cb84f4da023be7d9bdb6a471e6a0ab7883d901e419243aab0361cc0c346eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
fd0e70fb21dd48c84c144818b4a8bd56

SHA1
752bdd45c509326c01bdf4f020cf07380f43588a

SHA256
a5e0515f06e020e70d0267bea56f0793c4669f4e926288e1534e784937fb12da

SHA512
291df9b71dcfbe304a82d93cace0bfc7794ff36c0cedae4eca3a0b0680814cc0a45146afa732e45bef4b2b96df2f10e09438687bc21f1f432041855e3bdd6837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6365b7444f0750ebbd23637734fffdb

SHA1
a73a8dcbff59c3e738b1ef2e5641d5a0add15807

SHA256
7a52fab6f0fcf8c967f9ecefadd561aef70b545cdbb6bad118dcc9800c5d0bd9

SHA512
3deaf6c7f9864a0bc74978e0cd064ae907899ee9100c1f3b05e464061c766495276d89da3384fc9bc7f037cd0e3b801f966804dde1c611ad6f51c5d0be9f649d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c5fd3ecb2f00fa851f6a51729f47b033

SHA1
2ce258b8541c027679e9d622e63df5744235aab6

SHA256
8a713e356d85876fb68a2bdaaada1f3c7bdff682ddceedbf1e13151db20981c4

SHA512
4df9977f0d7361ddcd82592b33ac4cc245d540f532a8d04e54deb3fc5568bb558f93cfd539a67135f4d154e2833527cc2ee199cba9454df91c3bb16924dff724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
06e5507104dd9c0d5c041aba87ebc9e6

SHA1
5664621d3f2e25185f59ce74bea87a4145dfe300

SHA256
00dc9026bc379ddbd8a480dd0fa16e429baec8b42f50cfe417446f2b46253473

SHA512
0edc3c4e1693eca94d8bb86862e6a2456ffb6518ee3ef776d5ee232c16ba833d4508685cca41aa937f6884f70fe15a3ba27eee1d9337b1aff45a5dbfd3f851f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
48b1191c07bf07defc1b76dc87917036

SHA1
5e731edcc5b556938da4b7aa1a4bfda918680900

SHA256
efa113668c21afdb64da1bf0ceccfdda715a480827eca69296d6e2441530ba3d

SHA512
98fb8b2c2e15b9ceb47284642e1b1cdb79c36159c94f477cd0d2b4b7109e97fecd955e0501b28b5a75dbf9ed4ad343f4d3052d0e229f5cba26667903dc6207f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a2287d691f7ebaf3ca46fb6b8fa5de48

SHA1
b019632a42d499f9fd40d6274c2b3b631a455402

SHA256
d92951e7fbb2323923e6d575d05b91f58282aa7f04159046cc887bc814f37dd3

SHA512
dfd08b4001f1c02b61c0d94db4139473a10a81af4bd828f2bc694de507124f95029eaf523ce47d25571bcada5acda0e2f952edec4eea62c1d936e25983ffe8d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a99efbe5689f7c24bf70c9616268ed4f

SHA1
09f1704bca41f38b2f5b556966b0e3b1e1e3726d

SHA256
5e4f37ce59190dfb906b03ae62ed73ff2e2aeb4475b9e7721f00b0f8ca1cc0cf

SHA512
01f8a930e05cc314f2639ba1b39b1b0c7dcc9f87c2667a6f966fa9aba0cfc7fd15f6f7460e4c33c752a0b37ae4c09d136e2f9a75a4a4fcc2ba270fa474979065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c469.TMP

Filesize
2KB

MD5
5596375e8a27377baec736e23b561670

SHA1
b606b6ef023a2ebff0815fed44e34ce90b23b433

SHA256
78ab7e2dfd7283be4b654ce7b091bf1bd31b30b7ea56d849e89b1b54c4761c77

SHA512
3ef67be718ad03a8b35f7a668b5be9083ae90ce365dcdcba3791cbf974826fef8b64ad1f9f2967da24beab52c2f2619e8a3546a792492b51778bc654602851c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9055530cd73b8ad852f3ecd623686d7c

SHA1
a14ecf247d0e41f47e2ce5d9541c828852ead8ac

SHA256
e5171c926ad2191b2a372790b8e21d5386e80557a03e96ee005d76ea288a8d47

SHA512
0cc4ea148dce4af010c686f05bfe5839f75fce687fac04df2833585e5d5eafb8d520c99372fcb4b656f7797b783385ae93d540632b256d8e476f3d99a975173e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e89fbfb3e9bfce037aa5642acf91850f

SHA1
78ac3dabe2994b272691f996b35cf47ff642b938

SHA256
3ece934cb4a2db4f7627ea7bcb66270335e51e654c78fc47dc43a8c016191fc7

SHA512
51247a859667bef70007d49bc8361d2a86bce7e204aac3fa9fd2b28d2e66134b0563398a07ea926a6dc6d611287985a7da85a51a780feeb5bb87df3b4fb622a1

Download Submit
C:\Users\Admin\Downloads\xmega.rar

Filesize
31KB

MD5
2b4ca15f23821bf25a007a0aa41153ea

SHA1
bb62faddfcdd45d1036c7512dcd5f4c903d692be

SHA256
a0192a5e6c306a1dc69099bc02cac043a81559c33cb60459d8e8ccd43fbd80f3

SHA512
e7ebd292e930423661c391b07c0a8f003bcf35624224a95768f949b1cf7e9ae7e9829ad915056478771f73fb9ff2671889a594be226a15d1acbad5ae3f28ee24

Download Submit
C:\Users\Admin\Downloads\xmega\Xmega.exe

Filesize
53KB

MD5
820683eedc4374fd71a7091d9dcb54f9

SHA1
e27b4f0d71a2da50968efd7f2e6fae7936ac38f8

SHA256
98903584ac6e1ae28bdf7e77ce25fb54f952bd2683128835a39b9f498a959ddd

SHA512
a1a78df11ecfc356a535edbbb851fcf06d834f500a1cf27120b9300a41c14d02569d0899e2575b5f79dd2f6eb151f96b80b4c2694928687af6be1449e51f4aee

Download Submit
memory/6392-344-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-343-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-355-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-353-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-354-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-352-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-351-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-350-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-349-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/6392-345-0x0000014E02DF0000-0x0000014E02DF1000-memory.dmp

Filesize
4KB

Download
memory/7068-272-0x0000000000D70000-0x0000000000D84000-memory.dmp

Filesize
80KB

Download