agenttesla | 9702a4f1f432220d5c7afca5aa0aa682be7362afdfeae8276abf70bfcffb7313

Resubmissions

08-10-2023 10:17

231008-mbm9rabc3v 10

08-10-2023 09:55

231008-lxw84sde36 10

Analysis

max time kernel
1050s
max time network
451s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm V5.0.zip
Size

29.7MB
MD5

d4bedeb1045da2b8be2fb8b5b78a9508
SHA1

426679b6d82bec0aed07bc2293bf070550d95620
SHA256

9702a4f1f432220d5c7afca5aa0aa682be7362afdfeae8276abf70bfcffb7313
SHA512

f7a018f996b78a84f138e564cad7a15b4c25208a3111d39310792b1297f5d51e0dee694df9eda2487fdff86ec347685ef6e2ec9eef9a7fc69d80188ca5837ee0
SSDEEP

786432:ynKX23QgeyHcgpsQIJ2eEXSFjtRLnQ4+Ge/inEdOJkP7oDPctM:PX23Qgh51IgxSFjc2pkz2b

Score

10^/10

agenttesla xenarmor xworm agilenet collection keylogger password rat recovery spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4348-13-0x000002105D9E0000-0x000002105E452000-memory.dmp	family_xworm
behavioral1/memory/4348-34-0x00000210791D0000-0x0000021079D86000-memory.dmp	family_xworm
behavioral1/memory/2052-43-0x0000000005CF0000-0x0000000006762000-memory.dmp	family_xworm

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4348-36-0x0000021079F90000-0x000002107A184000-memory.dmp	family_agenttesla
behavioral1/memory/2052-75-0x000000000A1D0000-0x000000000A3C4000-memory.dmp	family_agenttesla

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 14 IoCs

Processes:

XClient.exeXClient.exeAll-In-One.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exe

pid	process
2840	XClient.exe
716	XClient.exe
4332	All-In-One.exe
4604	XClient.exe
3532	XClient.exe
3208	XClient.exe
4996	XClient.exe
3604	XClient.exe
232	XClient.exe
440	XClient.exe
4128	XClient.exe
3136	XClient.exe
4584	XClient.exe
4856	XClient.exe

Loads dropped DLL 8 IoCs

Processes:

XWorm V5.0.exeXWormLoader.exeXWormLoader.exeXWorm V5.0.exeXWormLoader.exeXWorm V5.0.exeXWormLoader.exeAll-In-One.exe

pid	process
4348	XWorm V5.0.exe
2052	XWormLoader.exe
1548	XWormLoader.exe
3520	XWorm V5.0.exe
4976	XWormLoader.exe
3292	XWorm V5.0.exe
1068	XWormLoader.exe
4332	All-In-One.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4348-13-0x000002105D9E0000-0x000002105E452000-memory.dmp	agile_net
behavioral1/memory/2052-43-0x0000000005CF0000-0x0000000006762000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll	upx
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

All-In-One.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Drops file in System32 directory 2 IoCs

Processes:

mmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWormLoader.exeXClient.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XWormLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3144 schtasks.exe

pid	process
3144	schtasks.exe

Enumerates system info in registry 2 TTPs 28 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWormLoader.exeXWormLoader.exeXClient.exeXWorm V5.0.exeXWorm V5.0.exemsedge.exemsedge.exeXWorm V5.0.exeXWormLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

XWormLoader.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\TypedURLs	XWormLoader.exe

Modifies registry class 28 IoCs

Processes:

XWormLoader.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	XWormLoader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWormLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	XWormLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	XWormLoader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings	XWormLoader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader.exe
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskmgr.exeXWormLoader.exeXClient.exetaskmgr.exe

pid	process
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
3528	msedge.exe
3528	msedge.exe
1084	msedge.exe
1084	msedge.exe
856	identity_helper.exe
856	identity_helper.exe
3712	msedge.exe
3712	msedge.exe
4140	msedge.exe
4140	msedge.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
1068	XWormLoader.exe
2840	XClient.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

mmc.exeXWormLoader.exemmc.exe

pid process

4912 mmc.exe
1068 XWormLoader.exe
4612 mmc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exemsedge.exe

pid process

1084 msedge.exe
1084 msedge.exe
1084 msedge.exe
4140 msedge.exe
4140 msedge.exe
4140 msedge.exe

pid	process
4912	mmc.exe
1068	XWormLoader.exe
4612	mmc.exe

pid	process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeXWorm V5.0.exeXWormLoader.exeXWorm V5.0.exeXWormLoader.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	572	taskmgr.exe
Token: SeSystemProfilePrivilege	572	taskmgr.exe
Token: SeCreateGlobalPrivilege	572	taskmgr.exe
Token: 33	572	taskmgr.exe
Token: SeIncBasePriorityPrivilege	572	taskmgr.exe
Token: SeDebugPrivilege	4348	XWorm V5.0.exe
Token: SeDebugPrivilege	2052	XWormLoader.exe
Token: SeDebugPrivilege	3520	XWorm V5.0.exe
Token: SeDebugPrivilege	4976	XWormLoader.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe
Token: SeIncBasePriorityPrivilege	4912	mmc.exe
Token: 33	4912	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exeXWorm V5.0.exe

pid	process
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe
4348	XWorm V5.0.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exemsedge.exemsedge.exe

pid	process
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

mmc.exeXWormLoader.exeXClient.exeAll-In-One.exemmc.exe

pid process

4912 mmc.exe
4912 mmc.exe
1068 XWormLoader.exe
2840 XClient.exe
4332 All-In-One.exe
4332 All-In-One.exe
4612 mmc.exe
4612 mmc.exe

pid	process
4912	mmc.exe
4912	mmc.exe
1068	XWormLoader.exe
2840	XClient.exe
4332	All-In-One.exe
4332	All-In-One.exe
4612	mmc.exe
4612	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XWorm V5.0.exemsedge.exe

description	pid	process	target process
PID 4348 wrote to memory of 1084	4348	XWorm V5.0.exe	msedge.exe
PID 4348 wrote to memory of 1084	4348	XWorm V5.0.exe	msedge.exe
PID 1084 wrote to memory of 4044	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 4044	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3592	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3528	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 3528	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe
PID 1084 wrote to memory of 2308	1084	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Xworm V5.0.zip"
1⤵
PID:1588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3208

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\Fixer.bat
1⤵
PID:4172

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWorm V5.0.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWorm V5.0.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89faf46f8,0x7ff89faf4708,0x7ff89faf4718
3⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
3⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
3⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
3⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
3⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
3⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
3⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,699579225334689834,4543952582371399230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89faf46f8,0x7ff89faf4708,0x7ff89faf4718
3⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3384065016021760715,15886786165535857917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
3⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3384065016021760715,15886786165535857917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3384065016021760715,15886786165535857917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
3⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3384065016021760715,15886786165535857917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
3⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3384065016021760715,15886786165535857917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3384065016021760715,15886786165535857917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
3⤵
PID:848

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe"
1⤵
- Loads dropped DLL
PID:1548

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWorm V5.0.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWorm V5.0.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWorm V5.0.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWorm V5.0.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
PID:3292

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\Readme.txt
1⤵
PID:3624

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XWormLoader.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eqvqtkou\eqvqtkou.cmdline"
2⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AFB77BF205141778072E6E3D1D859A0.TMP"
3⤵
PID:2304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x478
1⤵
PID:640

C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XClient.exe
"C:\Users\Admin\Documents\Xworm V5.0\Xworm V5.0\XClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Public\XClient.exe"
2⤵
- Creates scheduled task(s)
PID:3144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
2⤵
PID:396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:716

C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
All-In-One.exe OutPut.json
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:232

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:440

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Users\Public\XClient.exe
C:\Users\Public\XClient.exe
1⤵
- Executes dropped EXE
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.0.exe.log
Filesize
1KB

MD5
a9141ed1837f780cf691c7ce790db9c5

SHA1
86d5a6683a0031226f8477cb2d60edf65325f1ec

SHA256
cf428d3c771587984baaea34a2f01139009f4493431db844f2114daff8f958f0

SHA512
c573c632ab243eb226a878e67c03b328f341ccd8c8696c0f0b6ef7bf6cbc1ae72a1444fa4ac831547590b9420092b4a43528bcffc5ddeeaca071cdb951fa4bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XWormLoader.exe.log
Filesize
792B

MD5
950d93ca99a6214277f81cf4caab1e60

SHA1
537a37483d802ac27a9ad7adb18f4556757cec2f

SHA256
f2b2df5d65fe349f24a8c7725f7c8b32be3be711bdc9ed8cc13a4c91363e9520

SHA512
2143530929e1002200473ef720a4dcc055c881a51849fcf86fe8caa69d04b99e7a36f55a2538d375bd956eb6e7c44a477a1b2cf2792aef4ea87a3a254695949c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2691478187e2ba2f16e7e118f3694f74

SHA1
700cb3410b3c4872cf953f1a5b3ed483bbb566bb

SHA256
0123c6d48c1a679c57b52e280962221f9c7907676dc0d39254b241b642cf2f87

SHA512
ec9d76aae506effd2456be1ffa99aed3a4051fd1f0f8f0a2b6796be2de1704abb7216c865eb649afb22b9e6782c9b5cf3b7b57206ac6331ac6d8cb07579eb947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0361cb59952d511a43b0cd4e67b897a8

SHA1
ef5a747cd4dc13598e6cbdea4d6c72efb445413e

SHA256
4bd06bc0cab0bb938255f896bd0509f1c45eeb21b6fe12e1472a85ba9d7d7834

SHA512
869e1746e8798478838e7e47c48715c8f86f3c624bf4572402f6e4014f58c57abcb6de59701087c87d27134568953657b66e5f06ce507092afdf952e57009680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
083b9ceceb37571de5e07ee223f81ba6

SHA1
e30b2ea9660d1bea3f0cb6eea3177a648c087b0a

SHA256
9943cca1ea24b373c56572850bbfe03170be0eff4694d4258b05a37f8d2dcf78

SHA512
bf2d0be34695dad3db22017bfefd4a381711c58cea04ee652596a323c965c8fe4e533b0614c9f9f015b327ee80ceb574d0946846dcd1558df7b269ff516cbea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
b59353ee2b1775d7826b15e50bafc28a

SHA1
3b679d68dd6f45f91b53d25290f0923cef5eac3f

SHA256
669c4850a8696046eb8d141ec95e09903f03dd9f31dd6915b79fb06f3bbe81a4

SHA512
559d14464d0771c6de5b58b6d72d0ef7cc05d4214097dd4ea7d0cf4904cc3825e37eec3829f1c304f3045738ca473dc98d4d76a840272818b8fd03618f9224fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
1.0MB

MD5
3fa641867977126c2c7b5c5e1d23969b

SHA1
9a6850bb77dcd408ac422b6672f6c670970d3809

SHA256
d15ff53e525e463f13aafb9cd302d3ba7ad42390e6432b526092abd0769a2aa5

SHA512
778c288a44e3d39a3176c07f9882ebeed39a0d9a7c3140977c3204d98a3396854870545eb6e1b7432435753306d13fac84b1bd2e535e6452d0dc5ae26dfcf2f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
1f9ce2a7dc8f99fd3af9b9bc05378cbe

SHA1
7101c00aae7390ce034a1c054411297127cb39a9

SHA256
3f751946d3541b3ea44a582fe3fbad3051c1f49d118ae104d69481a5c7544908

SHA512
b2bf013ee8e34b395b6a9ca40224ffb9db0e66f9762d496297eb72e7fb815fcc3fcbb2e272f29db8b34f852bf136eb5f7fdccb1e3580a09216fc70c1a62745cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
28KB

MD5
ec07ec9529f1e042a96e04f891d81a3d

SHA1
f987ee512dc69721a8f2994df82b6362f0dc5786

SHA256
d98f9835f3e5f050b96608928fd8fb2bad0c2085342c7ea246277bda6bfff371

SHA512
d79d501e4ceaa15e0c02951453ca657cca0cb5b11372ee2602105ba6dde0032611643b014f919d0fc09dadedc60c4e761eec76e4bacdbf9709e586d3df1f0675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
80KB

MD5
14e39be019da848a73da7658165674cb

SHA1
e016473c4189a8cc3dbff754a48b3e42d68af25a

SHA256
39595a1806156cfcadf3cc4e20c5c3f3eec721386a0551790a15f025ba9402bd

SHA512
828a383de549871aa80ec960a7e371ef47da96d01ebb9628d1484ceed9eb698aec5109b3de0b24ff8000610a2c2d633616c9fd28d380656fecbaa930cffed029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\efa986235cc38916_0
Filesize
195B

MD5
f3e63ea1ff2408be2215e9774f50a2ee

SHA1
b144f9a2c9b7751f3bca9ed258d99156b52d1d0a

SHA256
982c3575db7f3d20ede4d7992e9bcfdba4aaf7fec448c2ccfef15b40f8a0f367

SHA512
46be9448e4370ce82e1059b5b84035d18d021798d85cdd4d35838bdfb67192661e91273cab9b3b0c9bc4af3f7ca60b14f7951ece5c8e5644e900215e538f6696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
bd8ca55194434466f31c9f3267ff8995

SHA1
bf526375d7ad59fb72cb8fae5cb08d715c125294

SHA256
4de98aaa169c409bc1966e9783a8c5b38fa8508af87eec9d506af47f56ccf525

SHA512
64cdb6dc4a7ae15ea0155f6dfaaf168b34721947551a04a58b52e96dce9716d94ae93c3de2f2e629326eb14d5c12b9ecd27f11ff6eea3662cbe92e3a2acaf70f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
91e7d84d27bad1ecea505fce683a4252

SHA1
48406f31b33373348dd6a923b1adb152fd318016

SHA256
675c51c7db25d249dbd2d06e84ce1f821143a2f354497d7ca25825388396da0a

SHA512
3dc2b05c4194184d174a42b5f3c8fba7bb10f6daa390d5e4fc926cbf21a9f9e83b63093aba8a94ece26de062e07586e2685912bf5a17f84d64fc89e10f00f7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
91e7d84d27bad1ecea505fce683a4252

SHA1
48406f31b33373348dd6a923b1adb152fd318016

SHA256
675c51c7db25d249dbd2d06e84ce1f821143a2f354497d7ca25825388396da0a

SHA512
3dc2b05c4194184d174a42b5f3c8fba7bb10f6daa390d5e4fc926cbf21a9f9e83b63093aba8a94ece26de062e07586e2685912bf5a17f84d64fc89e10f00f7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
4a7edd09c67182db8c411fc288e75cf9

SHA1
4b68ebebd028ac1e97b266ac5189dec87a6837a3

SHA256
5b89d240341e3a24b5ac0e6265dac19473383d1cb5cabdf9b62d88ed48b08fd2

SHA512
6e5a39fd993524aba1cad0adaa162b68497b288cf1131f0b880a0883b8814a0197ceca2053d34310ce3cd7a9e2fce1732159cf4c381355722aa3e99e1554306e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
322B

MD5
0106c49ccdfddac8fe8b5aaeb118a0f7

SHA1
d94b3581a8a56065fe52c1e764c2d131e81c5e19

SHA256
f4baa2a36cfec23f3d8d624a0a40c76baf1dc0a7a15109b90e4e73bf58271d12

SHA512
b9fe30e16bf6b00257b9c9bc83f954a401a9e30b04f724ec01417cb6cdbf19b45f4efff4e87ad8fad15b3f59e9c370ca5ff7933c80c64b0858a9ec088c840261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
74fe0461445fdbaaef2178c9f2facce2

SHA1
42a58cc278dc08105be35d6bac7065c601fff153

SHA256
7144e862f0f40eaaa56dcc8387479d6e7e7e4a4c7bb75ca86b84cbc6dc9f98e4

SHA512
a4a58707d27acc0c69a0009194d5ac5a66e73bcb34c4d5f7da3be5c72ba0add274a6d71c0a17d6fb7115c3023e630f88b43d380257b6b2bc36113a74d25888c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
456B

MD5
a5c943fa8e9bb9a86ca3c5cbd201152a

SHA1
64d7a69ea9a3ca58ad6ac8e21586215ee7ad0032

SHA256
eb93673bcef23ffe21184523ec989c19ba8423d97726a76cf2d199e2621db909

SHA512
537da0009c654384d984eb6bf0a7846e4920ccc7a3b18d48e42a210c809f0233db337f3ff8f04898da51f8d4f41d0c8b105828387f661cbb341a54ccfbe1528f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Filesize
20KB

MD5
97ad768770599ffcc8b0720aa26488d6

SHA1
f24265fad1530f36b0f5cb8870edab0060ae4eda

SHA256
06deec7939584de4ef795ed2481a5c60f1c8671e8d69e7a383923094429d4877

SHA512
e06d1c0dbfdbd72f1a7b96b159ce8ad5539c9400c567142c48bfbb659846b50ac6d532b10f117c4e6951d862286a6ad1245f20c5276c22defef418616a63f61c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
334B

MD5
26c63795a8733372672916adad1ae697

SHA1
2894e3c68bf06373a38b3f700f85af95c71afe2f

SHA256
b5cdd5325477bfa4f40daeff8c3db3acd38296e83ebf608a44d0acd3eb2c5c3f

SHA512
a714d0a7ee26bd45155541eb439a4227162ff00deb1e1bcf2d27ddfa5a9e148fb903afc6867d358e8e62de51d46053e6bd984b2a9f9817b1c39c0ba17242ac2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
442B

MD5
e7c93c097e19ec62218d6a6792c5d9c7

SHA1
517ad50ef02cd83c2f51e22dfe348bbf9628d962

SHA256
51ce2a687b0246744c75b74fa418a9ea299829bcb9a147e884f3ae8216cfaeea

SHA512
0c2c7325b834de4184a470f9fd146c98b8bea07c811935d90fce5136c6e8436502080d0511d9a909213056032fc41a36143410575b86cb5a0232cc86b2e40edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
442B

MD5
188d53a22b83727527a8eb0c96122223

SHA1
084a32b07f87abed10d0d8c0b32f1370d04c3786

SHA256
c16175464237eac3a7df51c2d3aa743c5f62af58497a3565aa324b32dbccccef

SHA512
09580cd729f282678c530e7e495d4713d446030acc9e9bd9564ed9645f4ade5ca4e7c29427bfaefb416c0e53fa941c8ac216f2c2a9ae8e3cc02863e32d3770f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
442B

MD5
188d53a22b83727527a8eb0c96122223

SHA1
084a32b07f87abed10d0d8c0b32f1370d04c3786

SHA256
c16175464237eac3a7df51c2d3aa743c5f62af58497a3565aa324b32dbccccef

SHA512
09580cd729f282678c530e7e495d4713d446030acc9e9bd9564ed9645f4ade5ca4e7c29427bfaefb416c0e53fa941c8ac216f2c2a9ae8e3cc02863e32d3770f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b691e1f215b6abeb607da046e6bb7c7f

SHA1
291c40abdf0d009bd827b3e07cca6b69bf1fa162

SHA256
e3037b67ee6bad75207a0c4a04d3f80d3bf60e63c1f2a3fc640c0210b50da790

SHA512
039ea30f7775346a665e151644b615080606d1894db9ccc1a356339a0ce89c73e9a4d1c31f534a2e3c20adfc659cb7f23ba97928bad47e9068897c47bdb576de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b691e1f215b6abeb607da046e6bb7c7f

SHA1
291c40abdf0d009bd827b3e07cca6b69bf1fa162

SHA256
e3037b67ee6bad75207a0c4a04d3f80d3bf60e63c1f2a3fc640c0210b50da790

SHA512
039ea30f7775346a665e151644b615080606d1894db9ccc1a356339a0ce89c73e9a4d1c31f534a2e3c20adfc659cb7f23ba97928bad47e9068897c47bdb576de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
634d5462b1de7e1b0c1d723fd30f369c

SHA1
dbf2da3680b5acf763a8b593ac145c4c6ec6fdbe

SHA256
e63ca10d1c6f3ad13cec4e9a5f20ae96f2da84a83589c427ee2b44f0433ed127

SHA512
a4d64753aaeea376d86bd32c02bac9a2b296b0d2c3e024be57467c6179a532c86ad130a3c3863d2a0c1beee8258da46681ccf3fa5e9062c91fe42d8f644b9135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9583e4290b223efe580259cda2510bae

SHA1
5881269132ba149fa7ea96d2842e6143a1708116

SHA256
6b3daa77c7ba66e809153181bb2f0ed1d9506e40055fba2b5d66fa550dc6c3ac

SHA512
1d87b100163bb23fe92097c4fde634430e3b478194abe07a40d93a3574e0de32177c97199e86e33ab5778f429c4924e97182e760a6ae8042b033fa281e449159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4999d92c95c33839eb85d4c88b561594

SHA1
bf62d55a22c3deb8ad855e4e3d484d1b5809e01f

SHA256
1b08e882bc6fbd92efcbc04e6f301dd42e45386e222b52eea47d556791c3fc7a

SHA512
83885bb7b614eaac169563e33a48b15926b2a647211cb9fae2940341b1a5495f149f7b90dbda3ef89f60d4de821fc862b3208ac4768c1a9202fb3ac6b50f5792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6b6bd47f12e650fb7d0d5619552ea2cb

SHA1
2c1f8806733043de8eeaa69989fc12e24c061711

SHA256
0bbfa15df23b47f0263d8cfdf6f156813907f8c0a1d81f1e8929fee1e8b13096

SHA512
4f69869d47ea5b798d013a15e92c3b0d1741acaaa9f240caddf9a9f8fc456a029e6b26d5c6cd7a80839d4c9511d9bd1e68402c814836d79bb4e4b08ef8fa1130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6b6bd47f12e650fb7d0d5619552ea2cb

SHA1
2c1f8806733043de8eeaa69989fc12e24c061711

SHA256
0bbfa15df23b47f0263d8cfdf6f156813907f8c0a1d81f1e8929fee1e8b13096

SHA512
4f69869d47ea5b798d013a15e92c3b0d1741acaaa9f240caddf9a9f8fc456a029e6b26d5c6cd7a80839d4c9511d9bd1e68402c814836d79bb4e4b08ef8fa1130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
322B

MD5
d8af9de3b4c61a44abe8ed42f1166c91

SHA1
b9d4aa96d026d52fc3267fdad855ed620b8e0fbf

SHA256
bded424d0d312778b586bb6030613f1fd5e122b1dd9b913481fbabf42cfd7b3e

SHA512
1d2cdccebc8b79f475074249f9c5e4f147512ae1bf5e53b4a0e28fda06e863de4dadc89fe2212447bc63dc1d523655839030e1a2ac0e1140216f54f9d042c31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13341232723678189
Filesize
1KB

MD5
511d1c0c14ac687d14a5c2d1525aa8df

SHA1
c73f7f4d4cfcf7284ce8fc19adb99b9e0605e83f

SHA256
5b5f6226e67f55a2b96c3d57f57821f54fa54cdadacce487520dfb0f87474d13

SHA512
68fa89149d9ab92899d7d00dc06515321c1cf970a07612e24da223e7c59b67914c6322419327684f369cafba16112ace8203c3985e6f06eee6e31f580be0e4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
2469594309c82d19fb59499c95f96da6

SHA1
095d98c3fba9df02dc05d38d7a84f93ec8c7f0ea

SHA256
03d441bed4a888fd010b4d2a1587c0b5e709f1809b9a4cd00d113480d0b0a5e7

SHA512
e5292b517a9d218d4eb0aff26f6fd0fe1c1bd228138e2347cce21f3317f8781ca408e9f26e40730afdf02f51ae8a61d44d3f28a9f752bc8a971c6227f20c596d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
92fe2278da7e7a10d2c95912c780cae3

SHA1
af1383a0a718b189fa4fa7a36c6f6233936097a8

SHA256
b3c628d776c014993be58240d493839da22057215dc56c2d43340560a01a77b4

SHA512
8ef6cf3569819b67971aa28f4c3ede44f31c8491811f35d02c6ef3804b20af0bf904c3acc0f5b93142d0ae57e01a8f4d22310fb767d328f737867c8b9cb4f824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
a7192a2475ac56e7531122ad67af963c

SHA1
e49b066f77e765c7a6763651a9edeee36ba51168

SHA256
6ba30052395873571d5d0e4b1d63571dd110f0b91b4c92f32a125dcb72e782d7

SHA512
9942c4849d340fa8970f4ef1995090cd17b371f2a38d20592fc05c0f90d5252410d048c274a66763342204ef277b04773186fa8336900645a958ba154acb971c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
87b24b8bf6b540536c492af8c7263335

SHA1
60dcc7e72b1c71f3dbb52d55b320d871a7aa83e8

SHA256
9ef2ba3bfff1b09850de507b9eff373c4b5820487a6c6804af5b110c034b66b9

SHA512
58ec66769bd2a809200ec091ec6d6d4c6b77c0953d826b5834e4887eb1021246ff21fb14b75b075989db82ba26b79023814cae80a47801ce3aaae57fb79fc107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
7c87e235f54440a16ddd07d7497ccc5e

SHA1
387ecd62277258e1d1d5352f979958a73d4b4a2e

SHA256
2f03289b52d433bff01075b49876d52dc4b5a3308555242716a3d1167ce12306

SHA512
7204415f5c90d1a28622cb57b42ec79ceb8cc1d120fdbc7389f7267b6132f32d2b6cbbd78fa93eaaf76e5ed139b11a5edb947d8896c7c63fd5929c8987bb3103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
a849195bb1033fd69d09771ffcfc11a2

SHA1
0dfcfe3b4911b39e550b2a942a6117be6cd7fb70

SHA256
df0c4cd400718f1be97805d793c4b63f8def9bb4231a27dae9f382dde93dfe85

SHA512
7a22b6ad7461ccd144908d0ad72315a20c9b935710c57f95ddd76e28c921bcfffd06eedaec57d3fd8887217ab68688dd14b457ecac9890b998057ca295029ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG
Filesize
136B

MD5
ff5ffa5ec17bb61d52985f6f58f5bc02

SHA1
8494f429a2f32659d0ee2a3d28a555ea613d3110

SHA256
5b13e097f4798419e500779dc7a4a2d51491fab8b89e70ba75d86020ca6b7b2a

SHA512
ec47447047a58ac919b94f0007628dac5476ba49a4559883dcfda4b248b4b75aaafa7dca7dd9ce571f152c15a0c30357b618b2199602e6ea28bf21a501889e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
7c8e323cd06fe5e2e1835cc4d209a441

SHA1
5df40836d3c6cdb7180f1a5f89876d15b7f8eabc

SHA256
61adc46f1569b39937ea548725d60814a0c2934da1dca973614c9e9ffca1fa6c

SHA512
3abe6e669d9e405a63d952f4815e83b46d3e578a8367c5a2932036a173ce4726ac55d75a578b298a88ffa01c811325cf2539dae0310f37350ac53bd043e445b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
206B

MD5
f9e56b4b16121993da5c6d6403dda0de

SHA1
34de242d2d6bf6265dbe9af68ecb6eb68d9e22d5

SHA256
a736d9e36117e36cde5a7c7db442a6848bab8fd57d93de4b13c97596b48058a3

SHA512
49a8cb53cc89ca136ec658219135904669fa19c01baa057526e6ba64721d7a4dbc9c322d14e1701381cc2ae0b778b47d5547a49613bf7cd259d146b304c1818a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
d1a0cfa05678d797b6a0e5fe2bf20faa

SHA1
9430f73954782ca91585cd26013861633278ea2d

SHA256
17826b24ed16fc3bb77588cfe070473df2f3314d4f2d82e0036612e224431cae

SHA512
52d8592557ef1fc85c2e609d72c456857dc30545f75b6721453ee160f6072e29f75a99ef163c73f73765629cdeabdc3d5ef66ea164be6d8363bd2552f5300508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
594B

MD5
8787f9af16d95d86211cf4d2ad7e4d28

SHA1
38b209e5e05194b244f0ba9e4201343fe78bd084

SHA256
8d0210d5074ad3ea46e38cb5ed240aabd3e571460df0de37369e481e736d96fd

SHA512
160b8a98792399851245d1563521bfa6f757505121c3c7c5e481a91fbe556d66ab0b6bd98bc0c1d5862935aca42173a43ea5f27c9bd861371f3864f06d1d38e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
f2824261e8d4b40246efecf63c2a6522

SHA1
2eb4410ede4f03993c1b0ec4b0db48295c9afb50

SHA256
9709dd0b6782f8341f68129f9440b646ee2fe0cb22bbc5837759fffaea8fbc1d

SHA512
a7d4443badbd06534f8d42188bdce71f838dafb2be49f875e51001c759832fdd30884376f59cdca85da7ea5809698b896f91f8d1f612db6d6df1785786421150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
519c94ae79df3ab90b104d7e83f46172

SHA1
c652088ded7deb3173da6daf48455ac8c8299a61

SHA256
e6d210d1f543c19cdada09034d4192c445a79e6f6f2ed0ea4e75497d6baf75e8

SHA512
f8c6771e9a6ca0fbaa2b36ae65c30f8361af43f9d41b1c83871b96ba3f70038b4e8b15e9a8f45bb9e647a157ea768c5d7b71b01ca94ee24f89387e16d0b03bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
5836fb42645112242bed7c0e999f2e6d

SHA1
9fd78d9a9fd04b22918139216981f62028508b08

SHA256
cd8bb67bbe88992642513fc73a662e6f44173bc9f07141ca3bca80ccdad14b05

SHA512
22922abcccac0d7c9a799da62f949078c96038b842bd82e8ef25c9d49a41bb0201deb13a28d107c96b1bdd59e0da70be822caff61c55a6602510ad30b581c48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
bf2fdae4e2149ac18fc597ed87cdbbf3

SHA1
35451eab330245c7e4a77d428daa46792b15abb6

SHA256
d293f9f8b0b3bc3df5b5d543b0b2938533d8182e227723a271dd3e7a4ab97ac3

SHA512
235c1caa4f3aa6c4b879946bc955a7872a2074961cc6e81dde5fcf302bca8cb4dbbf7cb342f2c4cd25424ee2c5887df13d0af99fe7a5922710ad7f2c14c4e290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001
Filesize
16KB

MD5
f55234db88c6538e3f4ad45c114435f1

SHA1
c4dba9a32f50f2d9a27ce81a1d62f7587751e6b6

SHA256
bf139ca7efd187c36f3ec33691f427205a63ca2707af18bc25430637928d713a

SHA512
8a621fa5044977bce987b8259dc850faf83f4e82f4df1a7a689dbbb0b9b065676842f7ac462b77f66c3ef892c3272960bf5de4c0dd4f02e85430b368867feda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002
Filesize
16KB

MD5
4517391bc8c55acdbe1f4c2f0d1c1fc8

SHA1
ac51fcf3271333d222e4cb526431817f48345a43

SHA256
3c82cfe4ef2e80ad0aff5da477f399da7d5c0169968b800b1bd730c7eadbcd8d

SHA512
e85033dd2a4a4038512102052bff9e8a76e7a43d609431d987d436f262e21fcf1e298441cd378590db0742ca65845bd1585a7cba496aebe245a8084dd616e5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003
Filesize
16KB

MD5
8feb503d057a1dfc7121b0aa2c7cc10f

SHA1
0d25b47e8482de37b7f615205b8a45162e1049d4

SHA256
e816b1086f600fa2096189c847f34de90dabd33b899de28ce199682eaf17c713

SHA512
a193f820d8719a47d6f52ff9ff2bf76c27ea3611e87a582543c8a55595af25cb3d1bb00913f8c2a4f2ed027ea2749717faf84d75e887f32610dce4d6ce105595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bb53097c61c5615cf0cd091eced06c2a

SHA1
7c5849afdde31c7bf58b867590a5a1fd1b3821d3

SHA256
dd69cc97a13b4b4bd27592d56471bbe9c0c87d4aa1bffb1c8f096a584c342abb

SHA512
36163b52f3cf43b598c307fc40a62d6fd4788b79ece87e5eb774fbb4d942dd8802c04d8c132fee9d72c494850a66595ba4d660aba4f6b58e5d2768356401aa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
eccd77feb5aed6a8364621ca8dee14d6

SHA1
4831f8516e33ee44d16b53c4e71851e2d500279a

SHA256
0b1eadae5255d2f6332c26f6fc90ae8e70cd600214e4624615ceee8a19b65a75

SHA512
2588a337d77a41929252609cbe510c1600df8aed1238965da1909c725482e1b67838b9e7c313e975f53f51bd3ab8a50de61a24510f27392f17c2db8c0dd14fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bb53097c61c5615cf0cd091eced06c2a

SHA1
7c5849afdde31c7bf58b867590a5a1fd1b3821d3

SHA256
dd69cc97a13b4b4bd27592d56471bbe9c0c87d4aa1bffb1c8f096a584c342abb

SHA512
36163b52f3cf43b598c307fc40a62d6fd4788b79ece87e5eb774fbb4d942dd8802c04d8c132fee9d72c494850a66595ba4d660aba4f6b58e5d2768356401aa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
Filesize
5B

MD5
546533686193b3502b9f02bcd2984ca9

SHA1
f5306738d3c9da371bb89dd11d4dfd63bcd55518

SHA256
9a94d4c3b2470fe5a9cad4c2b6409ef3a4c5a5df4b32433b736edbd249d96194

SHA512
879643d632160334efa1395f56176845b908f5599b37ebed27e5e2b016239be343a3857caf0c19e4950e711ca715fe2d847984d423f1529d630c5994cbf60f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
Filesize
5.1MB

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize
84KB

MD5
230e9947bdacac72fa6556c32a3fd721

SHA1
c534758bd97f59782da939ca8c43e76df394f920

SHA256
bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd

SHA512
259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize
84KB

MD5
230e9947bdacac72fa6556c32a3fd721

SHA1
c534758bd97f59782da939ca8c43e76df394f920

SHA256
bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd

SHA512
259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize
84KB

MD5
230e9947bdacac72fa6556c32a3fd721

SHA1
c534758bd97f59782da939ca8c43e76df394f920

SHA256
bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd

SHA512
259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize
84KB

MD5
230e9947bdacac72fa6556c32a3fd721

SHA1
c534758bd97f59782da939ca8c43e76df394f920

SHA256
bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd

SHA512
259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize
84KB

MD5
230e9947bdacac72fa6556c32a3fd721

SHA1
c534758bd97f59782da939ca8c43e76df394f920

SHA256
bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd

SHA512
259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
Filesize
18KB

MD5
6ea692f862bdeb446e649e4b2893e36f

SHA1
84fceae03d28ff1907048acee7eae7e45baaf2bd

SHA256
9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2

SHA512
9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll
Filesize
324KB

MD5
04a2ba08eb17206b7426cb941f39250b

SHA1
731ac2b533724d9f540759d84b3e36910278edba

SHA256
8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4

SHA512
e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll
Filesize
135KB

MD5
591533ca4655646981f759d95f75ae3d

SHA1
b4a02f18e505a1273f7090a9d246bc953a2cb792

SHA256
4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47

SHA512
915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll
Filesize
1.2MB

MD5
fc57d044bfd635997415c5f655b5fffa

SHA1
1b5162443d985648ef64e4aab42089ad4c25f856

SHA256
17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3

SHA512
f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll
Filesize
140KB

MD5
1b304dad157edc24e397629c0b688a3e

SHA1
ae151af384675125dfbdc96147094cff7179b7da

SHA256
8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb

SHA512
2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll
Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll
Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll
Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll
Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll
Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
Filesize
104B

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenManager.dll
Filesize
2.0MB

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.db
Filesize
20KB

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
\??\pipe\LOCAL\crashpad_4140_QHUOUKYMYIJQHMYW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/572-12-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-2-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-10-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-11-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-9-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-8-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-7-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-6-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-1-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/572-0-0x000001ED75B00000-0x000001ED75B01000-memory.dmp

Filesize
4KB

Download
memory/1068-489-0x0000000005F50000-0x0000000005F60000-memory.dmp

Filesize
64KB

Download
memory/1068-488-0x0000000005F50000-0x0000000005F60000-memory.dmp

Filesize
64KB

Download
memory/1548-67-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1548-62-0x0000000005360000-0x0000000005366000-memory.dmp

Filesize
24KB

Download
memory/1548-76-0x0000000073FE0000-0x0000000073FE1000-memory.dmp

Filesize
4KB

Download
memory/1548-78-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/1548-79-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1548-59-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/1548-60-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1548-61-0x0000000005250000-0x0000000005256000-memory.dmp

Filesize
24KB

Download
memory/1548-68-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1548-64-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1548-72-0x0000000073FDF000-0x0000000073FE0000-memory.dmp

Filesize
4KB

Download
memory/1588-536-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-532-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-531-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-533-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-529-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-526-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-527-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-534-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/1588-535-0x000001AC19D10000-0x000001AC19D11000-memory.dmp

Filesize
4KB

Download
memory/2052-30-0x00000000050B0000-0x0000000005106000-memory.dmp

Filesize
344KB

Download
memory/2052-92-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-73-0x00000000079D0000-0x0000000007A26000-memory.dmp

Filesize
344KB

Download
memory/2052-69-0x0000000004590000-0x000000000459A000-memory.dmp

Filesize
40KB

Download
memory/2052-23-0x0000000000A80000-0x0000000000A9E000-memory.dmp

Filesize
120KB

Download
memory/2052-24-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/2052-25-0x0000000004AA0000-0x0000000004AE2000-memory.dmp

Filesize
264KB

Download
memory/2052-81-0x00000000737DE000-0x00000000737DF000-memory.dmp

Filesize
4KB

Download
memory/2052-26-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/2052-27-0x0000000004EF0000-0x0000000004F18000-memory.dmp

Filesize
160KB

Download
memory/2052-65-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-28-0x0000000004ED0000-0x0000000004ED6000-memory.dmp

Filesize
24KB

Download
memory/2052-82-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2052-83-0x000000000B340000-0x000000000B3A6000-memory.dmp

Filesize
408KB

Download
memory/2052-91-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-29-0x0000000005050000-0x00000000050AE000-memory.dmp

Filesize
376KB

Download
memory/2052-42-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-75-0x000000000A1D0000-0x000000000A3C4000-memory.dmp

Filesize
2.0MB

Download
memory/2052-31-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2052-58-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2052-93-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-32-0x0000000005010000-0x0000000005016000-memory.dmp

Filesize
24KB

Download
memory/2052-57-0x0000000073FE0000-0x0000000073FE1000-memory.dmp

Filesize
4KB

Download
memory/2052-33-0x0000000005120000-0x0000000005126000-memory.dmp

Filesize
24KB

Download
memory/2052-56-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/2052-94-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-35-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/2052-95-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/2052-37-0x0000000005200000-0x000000000521A000-memory.dmp

Filesize
104KB

Download
memory/2052-45-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/2052-40-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-55-0x0000000073FDF000-0x0000000073FE0000-memory.dmp

Filesize
4KB

Download
memory/2052-39-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-44-0x0000000006770000-0x0000000006D14000-memory.dmp

Filesize
5.6MB

Download
memory/2052-41-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2052-43-0x0000000005CF0000-0x0000000006762000-memory.dmp

Filesize
10.4MB

Download
memory/2936-469-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-468-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-470-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-467-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-466-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-465-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-461-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-462-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/2936-463-0x000002A4A3ED0000-0x000002A4A3ED1000-memory.dmp

Filesize
4KB

Download
memory/3520-100-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/3520-84-0x00007FF89D010000-0x00007FF89DAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-87-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/3520-88-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/3520-89-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/3520-96-0x00007FF89D010000-0x00007FF89DAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-97-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/3520-98-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/3520-99-0x0000027B76780000-0x0000027B76790000-memory.dmp

Filesize
64KB

Download
memory/4348-13-0x000002105D9E0000-0x000002105E452000-memory.dmp

Filesize
10.4MB

Download
memory/4348-34-0x00000210791D0000-0x0000021079D86000-memory.dmp

Filesize
11.7MB

Download
memory/4348-74-0x00000210791C0000-0x00000210791D0000-memory.dmp

Filesize
64KB

Download
memory/4348-80-0x00000210791C0000-0x00000210791D0000-memory.dmp

Filesize
64KB

Download
memory/4348-14-0x00007FF89D010000-0x00007FF89DAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4348-22-0x00000210791C0000-0x00000210791D0000-memory.dmp

Filesize
64KB

Download
memory/4348-36-0x0000021079F90000-0x000002107A184000-memory.dmp

Filesize
2.0MB

Download
memory/4348-46-0x00000210791C0000-0x00000210791D0000-memory.dmp

Filesize
64KB

Download
memory/4348-47-0x00007FF89D010000-0x00007FF89DAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4348-49-0x00000210791C0000-0x00000210791D0000-memory.dmp

Filesize
64KB

Download
memory/4976-121-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4976-120-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4976-101-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-105-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4976-102-0x0000000005B50000-0x0000000005B56000-memory.dmp

Filesize
24KB

Download
memory/4976-103-0x0000000005BA0000-0x0000000005BA6000-memory.dmp

Filesize
24KB

Download
memory/4976-106-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4976-107-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download