xworm | hxxps://easyupload[.]io/i8f82w

Analysis

max time kernel
80s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://easyupload.io/i8f82w

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

question-salad.gl.at.ply.gg:44041

127.0.0.1:44041

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023e6b-320.dat	family_xworm
behavioral1/memory/6596-322-0x00000000000B0000-0x00000000000C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6904	powershell.exe
7064	powershell.exe
6172	powershell.exe
3936	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	eatfor.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	eatfor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	eatfor.exe

Executes dropped EXE 1 IoCs

pid	Process
6596	eatfor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	eatfor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
4036	msedge.exe
4036	msedge.exe
4788	identity_helper.exe
4788	identity_helper.exe
4992	msedge.exe
4992	msedge.exe
5944	msedge.exe
5944	msedge.exe
6904	powershell.exe
6904	powershell.exe
6904	powershell.exe
7064	powershell.exe
7064	powershell.exe
7064	powershell.exe
6172	powershell.exe
6172	powershell.exe
6172	powershell.exe
3936	powershell.exe
3936	powershell.exe
3936	powershell.exe
6596	eatfor.exe
6596	eatfor.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	6380	7zG.exe
Token: 35	6380	7zG.exe
Token: SeSecurityPrivilege	6380	7zG.exe
Token: SeSecurityPrivilege	6380	7zG.exe
Token: SeDebugPrivilege	6596	eatfor.exe
Token: SeDebugPrivilege	6904	powershell.exe
Token: SeDebugPrivilege	7064	powershell.exe
Token: SeDebugPrivilege	6172	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	6596	eatfor.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
6380	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6596	eatfor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1564	4036	msedge.exe	85
PID 4036 wrote to memory of 1564	4036	msedge.exe	85
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 3204	4036	msedge.exe	86
PID 4036 wrote to memory of 4588	4036	msedge.exe	87
PID 4036 wrote to memory of 4588	4036	msedge.exe	87
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88
PID 4036 wrote to memory of 4020	4036	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://easyupload.io/i8f82w
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8755046f8,0x7ff875504708,0x7ff875504718
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7800 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8188 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009714726758306659,1244517620821110016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8312 /prefetch:1
  2⤵
  PID:5812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\att\" -spe -an -ai#7zMap29155:68:7zEvent4776
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6380

C:\Users\Admin\Downloads\att\eatfor.exe
"C:\Users\Admin\Downloads\att\eatfor.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\att\eatfor.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'eatfor.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
806d271b63c2bc170813afa83e15671b

SHA1
b0a5d4f3e2094a99e402438f3ff4e153a7cb7453

SHA256
8c36754533e755375f987fe74c3499ba8f6044af05b416dded069e37f72d405e

SHA512
eb793dc197be47854473bd49ff09902e390562c182d87a670dcd7999f512fe4c090452dcb93a8bf7a4b8eb031de94f2e399dba802ca33f8764eea256eb5e805c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4255cae88563058c7eaed69088da0ab2

SHA1
2bcb70f6ae6ae0207a7a964422cac20c80b26394

SHA256
b0cb92f0d6e6cb20ace15d6bf06015570aee24c0d06a8102200dfd3cf4118a15

SHA512
cb41c1797e6d6c5a70d9045e0319ac92512deeb4d4280a1d9a607c2a4031db6027a050633b95fadce63f6f7513ba599f336182b6ce50a0cfbc44360723c461eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b899fa1-f92f-471c-8303-7da9a1b203e2.tmp

Filesize
24KB

MD5
89056432d3414a76aecdbd04ff28f419

SHA1
09a8f0683fc13f3feec528b92f89e95220267077

SHA256
10d5217b0727e444bbbecac8242a4a938d16b533775a8fa033f4225e402e15d6

SHA512
e2c5fcaf26bff0cdadd8dc83d030383241e50877cd8c68430ae001301aed1c6936e016bdbff54c8b94a44d6e0b54e8973847c6a18662ef1e3c997a86c0f808db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
44KB

MD5
8c20a759ccb28277a79dd00ca9420083

SHA1
7b54fdc89956f7c6b9a16bbe0ed2441d43d531e3

SHA256
9224ecf3801690b388ef17cdbf6f62b1e45cabc8588e378e91788f15c8131682

SHA512
099b82bb52f9edada08ac49d5ed8b1e3737b710f036ad4b3f79ea639c6d01adfd0ca3c21aa77f50422119f53a64f60b7290cd33db16f834b3afdbd3225c12122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
b09ff41f671764838f49d9744858c1fc

SHA1
d0c9cd348b501f67efd0a00f9275bb2d6b485486

SHA256
565f8c2e3c159f83d59a207a7c0efd07153c3d224438c60e20101dd3219940f8

SHA512
b114a8a1e989a8f896dddfe1da46b49af8440722c31a3ae118bcf423f4be0523d8c789d022c10e9a3131d45a77adc0b328aba7296fa7494c357d9d99e25a7282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
777f9d246cf8bfd6765e8423cf1e9b75

SHA1
0e745d6020b56e91831f32d56b597b89055c363c

SHA256
ff06bf37bd2f6e8bfceb3a6a399f32b95c30e9c09c8dee51028c70406de0ef40

SHA512
cd77563267ac6a53b1214daefeea75c2e04b3d839db58fc70cd08d7aec70a726c50a9c384cd7ce71701e450c8cbd62fdcded5ff89d2d104a7e5ce94e92981084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0191b2fcbcc2b20c512031d4f4c8a664

SHA1
03092b1fe84d535113ff059bcd1edddaae384a89

SHA256
b3d2dbab3321417c6b7413b2befc5c3d00d544f68000e8825fc68fc0cfe722ce

SHA512
0002ac950567cbd704733bc379627dbf18796f259fcfa287c269fbacfbc84118cf0906911e7e5fbdfcb593f8d1f5d04da856dcfae95b173f8d1fe12ccd02c302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
40821f1abe2352704d432d42ba35e029

SHA1
ba6ca27897c001043bb76a95b723e1096e5b1c9f

SHA256
cc1dc7a9cbae70c8c3099adce8fe1cf9fa7f92b57be4f90c2385ee07ad7c9f8c

SHA512
983b65ae0eb4bcb44c2ec66d545f4e4609568e79b84b46f7608a08430e76069da0ad28505f5a2b437f873852dab7fbf21976f2c6a495b0ed4cc2b8ebc7539266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4afeaa11a47133c7f42db642680aab5c

SHA1
3cac6c57a23083f27e4739b6f8b20293617e9823

SHA256
540ab6bdd5729c9fe61af460ad8a0bf7ada5afe00a3a4e24b4714fe839935ebf

SHA512
540967aa7c1df200d5da9b4ae1047faeaaaf4160dfaded261aabe059abfd8945983e19e94a345306c55cd5ff4a24080edfd83eb7add75a8cf7559a477557e4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7bc088d6485b4b5137c1c26a4a6247b7

SHA1
2e9c3138148db957a82187eeb8bff52ab323d912

SHA256
fcef011f22bd7cd2d944a40d0bb4cb3bd41626427d301c12a5a4e61556a8bdb6

SHA512
2225e13b35ce8f9eab3e549a2c5186e31482278d1cbea3f0ebaf0f60a8598a819390b032e0eae1a590b47a1da221aba1e021b177bf9b6ff6df4ce50ca9c5a0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59649c.TMP

Filesize
874B

MD5
419716e92b86c24b43aa6e8aaf2a0361

SHA1
913078e56b0aebc4c006ff25b77cd651bcabeaf9

SHA256
c0bf9285710194dda55999dcf4daa4243cd35aaaea6ea3970f56c8e078f1bba2

SHA512
27c94608ef06d11bb7e3a6e633db1a7cebba31c39962e19dd30788447fdeaf202655afff2633ec1fb5fc588e3ced2a382a82739eb4659e3470d8dd3be8789d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e330f09f0b37bc146bc4d5924256b799

SHA1
486832f27beeec104a301560c736767ae87154ac

SHA256
8831673f511e68873d6f64429f518b6504f3a86f86391152c1cbf2ed42877853

SHA512
3bc3f1e1bb36e89252a07d23fc9a798f016798a0478fe5396434801ee0a28cc8229fbe8f6d7571436cd9d5fc93983b203a092bacb6ae7af608ee2fab283ac507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3812f5d23bca79d4e1a595809c63cbd

SHA1
4647d0a3b58cf91b7ae75973018405c5b5332335

SHA256
04bfac3a9c69f0969dff054ffdb00f2a539d80f69427a1dfff0700552dfe9eb6

SHA512
6e8102028c6be5885a1f52c1ee65d4b31ae65f2cfc53f6181f44a77732d556ecc69488c2d58937998015b3aa72fd51d17ed787145fcb1cd033f26881101082f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9af4545f1fba8e8b6e8d7cb3c20b8b33

SHA1
687fd1f0950a96b317c38caf926410e77d35fa0a

SHA256
1861545a61ca8a8abbff7510ff9f7122907c64dc0daa6c51bfcef257a12fc309

SHA512
25dd879e7d9a062a47ad80ed9eb57145f69c1e7653863282602a3f387a1736907c146eda5815208ae132e18257fa0d7127b0ae1a7fcad7851f87ceda20844008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1xs5ixh.xoj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\att\eatfor.exe

Filesize
74KB

MD5
cd3908435f5e1e8f84060cb407376140

SHA1
ac8fc3ae910f34850f5fe2cd5b2bc29c354341ee

SHA256
668b8dc158da09a57dbaabe2a6f37e16f3e966400fd9bf31e51f3cad292a7a3a

SHA512
259da75c68eec86144a340ea7556872103f594d505d9d5ad28555b48053de9052dec8c4755f939ba13f3b667be8b60de1acc7b3009d525516f7d64fb990917ec

Download Submit
memory/6596-322-0x00000000000B0000-0x00000000000C8000-memory.dmp

Filesize
96KB

Download
memory/6904-350-0x0000015D9E030000-0x0000015D9E052000-memory.dmp

Filesize
136KB

Download