asyncrat | hxxps://github[.]com/errias/XWorm-Rat-Remote-Administration-Tool-

Analysis

max time kernel
166s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

Score

10^/10

asyncrat toxiceye def agilenet rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

win-xworm-builder.exewsappx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	win-xworm-builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	wsappx.exe

Executes dropped EXE 2 IoCs

Processes:

win-xworm-builder.exewsappx.exe

pid process

4064 win-xworm-builder.exe
4652 wsappx.exe
Loads dropped DLL 2 IoCs

Processes:

XHVNC.exeXHVNC.exe

pid process

3000 XHVNC.exe
4932 XHVNC.exe

pid	process
4064	win-xworm-builder.exe
4652	wsappx.exe

pid	process
3000	XHVNC.exe
4932	XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3000-274-0x00000000068B0000-0x0000000006AD4000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2932 schtasks.exe
1964 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1504 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1708 tasklist.exe

pid	process
2932	schtasks.exe
1964	schtasks.exe

pid	process
1504	timeout.exe

pid	process
1708	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exewsappx.exemsedge.exe

pid	process
4428	msedge.exe
4428	msedge.exe
3024	msedge.exe
3024	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe
3324	msedge.exe
3324	msedge.exe
4652	wsappx.exe
4652	wsappx.exe
4652	wsappx.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

XHVNC.exeXHVNC.exe

pid process

3000 XHVNC.exe
4932 XHVNC.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3024 msedge.exe
3024 msedge.exe
3024 msedge.exe
3024 msedge.exe
3024 msedge.exe
3024 msedge.exe
3024 msedge.exe

pid	process
3000	XHVNC.exe
4932	XHVNC.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

XWorm-RAT-V2.1-builder.exewin-xworm-builder.exetasklist.exewsappx.exeXWorm-RAT-V2.1-builder.exeXWorm-RAT-V2.1-builder.exeXWorm-RAT-V2.1-builder.exeXWorm-RAT-V2.1-builder.exe

description	pid	process
Token: SeDebugPrivilege	2704	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	4064	win-xworm-builder.exe
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeDebugPrivilege	4652	wsappx.exe
Token: SeDebugPrivilege	3144	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	2644	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	4564	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	3592	XWorm-RAT-V2.1-builder.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exeXHVNC.exe

pid	process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3000	XHVNC.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

XHVNC.exewsappx.exeXHVNC.exe

pid process

3000 XHVNC.exe
3000 XHVNC.exe
4652 wsappx.exe
4932 XHVNC.exe
4932 XHVNC.exe

pid	process
3000	XHVNC.exe
3000	XHVNC.exe
4652	wsappx.exe
4932	XHVNC.exe
4932	XHVNC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3024 wrote to memory of 208	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 208	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2924	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4428	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 4428	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe
PID 3024 wrote to memory of 2184	3024	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd40d46f8,0x7fffd40d4708,0x7fffd40d4718
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9568888773627191039,6216927088817181846,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5088 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4924

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat
    3⤵
    PID:3712
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 4064"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:3596
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1504
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4652
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1964

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:4200

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XHVNC.exe.log

Filesize
1KB

MD5
04c8f9d12b040efc35784774b6a9a528

SHA1
2dbd9f2a34356cefadd93cd1d2edb243b957b39c

SHA256
b5d63a221df6a3a1019e07da6715d0665eb363c583275eed803ac474617c2cc5

SHA512
9fa848a1e511f36b5b1c7467608b5f48169c15c64a33b2e95ba598a08086b88663dfd12cb4a238028d42d5727cfbfad9190f93a60b9f5306ccd1383595b1340d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3d9a9e152446f53b3f43263b08580c6e

SHA1
e6959e3dd11aee582ffcf14c08a4af86014d9353

SHA256
fdb50f8731cf9b824a0e00bc9805f5a1d2a9e415558da9005c1721a281992393

SHA512
10329bb7104094457840771f49bde5c5a9fbf427d4d3e9409002e00d37299d5edb9019c5b410519fdd1f3db33c273c4a6a988a247f13fa47e9da93e7d77ffaa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
0028a1a5c441a3cd5a60c34da771564f

SHA1
e15d27a8322b435564ebcd36467b997d0fa8ef32

SHA256
8dc36283781a25af9e2ae76d255ae311b2715396f710ff0e9850b0e64525759d

SHA512
e26efd2be3114e733acdc00fb54150790872b10c88a7c4d3a19a16383bf58897ad89f14b3255a984f836666b98bafc099d8988532d03acda0dee7a7a7da3f40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15e9d2cba2b927283e61d0c1c0a18656

SHA1
3a5e80585e4cddaf641aa018b7bfe61a1a2ffbe5

SHA256
497a361ef4e7a694fa2b543b7781d45a23d03269aeb14e466cdcb714a00216ed

SHA512
a387b3297f9a775493cac4292c497957f9955143f16bdc6e89d99545acaca95a296b40ccd69a35b9c7e555e3e06137b97b35c652b31a3b36b8a9f6af5740c0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd0cf6061538426043f5548d696570ac

SHA1
2a9e1b6058c1d145c5b8ddb689cd0ba2854f5749

SHA256
4d7e4c7b92345a4ed5ce7b7e70b232f1b4f8fd7e1b121a89125ac7fa1ba0a5c5

SHA512
2f92b46506f956d257b544541281c4c2280976303185b2ce9a9f64fbe3ed285b664fec6ab0b900ea0e7dc1a6919a15434d8eda52e7d4d9408f30ddaa56dccfc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55c4da933007dc3e81c4c315dc8cf266

SHA1
cc7b7af23eefb98611abec8fe074e074e222d99a

SHA256
31e649f933b2680f3a38346cb2513a312d2bc598d39c13dd171a53487951cf48

SHA512
d3fbbdd4e65d7f0bc613176f3c771bd54ad5a988e7fe0d803375ff710edc63748682b01f0e2799389a97baba8c251516298264d0b7f17b06779ee547bb13c15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5deb8b5be20dfe4481a03e24809b3270

SHA1
c7ea5c7cf1528961cdfaaed8949ec2c60e4a2a89

SHA256
7852de20a60adc0d3a32e88014e0135050a2e1d3dd9f43dc17160e166a6b2ece

SHA512
5bc14ede39b2a058ce7161216d5396ac254502e4680ee5f03ed0785876c13699e3b4ea12b44b45d454b057f1bc26a0cf6566333705315a307fcedb8ff8590037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f696981c87089b3898c10ae5717fba5c

SHA1
568784427b56b2adeecbb8cf08b6ea97a4574286

SHA256
9ea87e450fd7b230c417f94a661f0ea5a3c023d3bd6a623e7d711715eb62b2da

SHA512
e157308132f184e324f60313c94a3fcc52b44638a5ac4e3e82f3fddd8c935580320ba04da63fa84575064448a70503b2e7aa7c2b1ec0c534c46874cd61267360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c98a.TMP

Filesize
874B

MD5
ec1de69c6cc6f75419eb090e33e08d6f

SHA1
0784b39980803bea826dc693f2fdf7a5b2a1027c

SHA256
3fb80cd938a0808625ed15b6d1358a688934420a934d28121645f446b6652fc0

SHA512
ad5e120b93493d827a237d0ea2d3c36f25ecd60e7faf0b8efc2d44027bbb9ca1e14c09d6af97fd294fb373a561287d57cb981ce3ae9de231ced91b0cad058af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c1166d30-3bb7-4ac2-b946-bbe21a1efe40.tmp

Filesize
6KB

MD5
98fa66212f006f705788fd6da9e3f973

SHA1
9b3f7d21b668f226a2bef82e66a633e0a1dae2a2

SHA256
1eb41b4bd72bca6f4b636aa97eff21fc5b6bcd8206bdc7673f56caeb48af2e1e

SHA512
5a45b8b974cc66eb0bf446f21f6f1d5df172fa4b4cfa6a9a341c6574c46075f8db92f59386ce09e862bd4d8f12c28645271c93ddd9ac8f15ebae1d73b0371000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
76a05a5b12a7a76f76e0d44e39352c4d

SHA1
3538b7909173ad811056f07415205727c8dff6c3

SHA256
6d1a1ce61a38ee1ad01fe0331a77aef1fed357d4f408ca3041c01c454070661e

SHA512
9e27e9f66baab3e4ef156aac4e02d7cc20408f489dd65529f321e26f4d70696eea2139f67ec8635fe61d4b511940404621d6d008a504d790832becaf9cdcc7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90f2ead430e6152ae46aeedb31ba1cd1

SHA1
02417af3d59d48a02db89db20d149dc5bda920fe

SHA256
8348016b0f9fdca9423e5c70f63a9da1402c374bde6e9011167a688a63c6afd0

SHA512
1f245f310016a9b3bae04591a8dd7d4e2bcc508939dfe52cf6671a7fe91432b8544f680aa5aa9f64fbb1227b44693547f8468e3fd63bd214ff4fcd76c29c3674

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat

Filesize
195B

MD5
d1d426938ae36e52ba163b1ae02a98c5

SHA1
0427ee21debcb2a7702d3c43176a61f5eb342c69

SHA256
61daebf45c97d0560808c962b011c02da75c9d2e4a0ef1a38df6cea3f4c1defe

SHA512
de5621abdd58cc1fe01b700215c2a8cb922b629d7ca1589fe6db39d4374aa24b95f7207dae4b2155aac24d093a608fbf9ef8eec5a96b711c1c8d51250a6c7ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip

Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
\??\pipe\LOCAL\crashpad_3024_JQRGDGRFHYPUAIWC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2644-335-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/2644-334-0x000002887E900000-0x000002887E910000-memory.dmp

Filesize
64KB

Download
memory/2644-333-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/2704-305-0x00007FFFC0320000-0x00007FFFC0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2704-303-0x00000258BDBC0000-0x00000258BDBCA000-memory.dmp

Filesize
40KB

Download
memory/2704-298-0x00000258A53D0000-0x00000258A53F0000-memory.dmp

Filesize
128KB

Download
memory/2704-285-0x00000258A3300000-0x00000258A363E000-memory.dmp

Filesize
3.2MB

Download
memory/2704-288-0x00000258BDE20000-0x00000258BDE30000-memory.dmp

Filesize
64KB

Download
memory/2704-287-0x00007FFFC0320000-0x00007FFFC0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-282-0x0000000073A10000-0x0000000073A99000-memory.dmp

Filesize
548KB

Download
memory/3000-317-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-283-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-332-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3000-274-0x00000000068B0000-0x0000000006AD4000-memory.dmp

Filesize
2.1MB

Download
memory/3000-273-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/3000-272-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-261-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3000-271-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/3000-304-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3000-270-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/3000-319-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-264-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/3000-314-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-263-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/3000-316-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-284-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3000-262-0x0000000000A60000-0x0000000000C4A000-memory.dmp

Filesize
1.9MB

Download
memory/3144-320-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/3144-321-0x000001E71A530000-0x000001E71A540000-memory.dmp

Filesize
64KB

Download
memory/3144-322-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/3592-347-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/3592-348-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/4064-300-0x000001F3A5A70000-0x000001F3A5B3C000-memory.dmp

Filesize
816KB

Download
memory/4064-302-0x000001F3BFED0000-0x000001F3BFEE0000-memory.dmp

Filesize
64KB

Download
memory/4064-301-0x00007FFFC0320000-0x00007FFFC0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-310-0x00007FFFC0320000-0x00007FFFC0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-328-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/4200-324-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/4200-323-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/4200-327-0x000000001BC80000-0x000000001BC90000-memory.dmp

Filesize
64KB

Download
memory/4564-336-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/4564-346-0x00007FFFC0460000-0x00007FFFC0F21000-memory.dmp

Filesize
10.8MB

Download
memory/4652-318-0x00007FFFC0320000-0x00007FFFC0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4652-315-0x00007FFFC0320000-0x00007FFFC0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-350-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4932-351-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/4932-354-0x0000000073AB0000-0x0000000073B39000-memory.dmp

Filesize
548KB

Download
memory/4932-355-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/4932-356-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download