asyncrat | b096974847f6e0399bf3603c96af8ad777430cbccefb41a6f55f79c34e41b223

Analysis

max time kernel
76s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

312KB
MD5

0409c34b4fc66cfd7c1879ef78548458
SHA1

8ee4fc60faf0a56001d1d922bb3c66366fb69611
SHA256

b096974847f6e0399bf3603c96af8ad777430cbccefb41a6f55f79c34e41b223
SHA512

39b2b1c12be637bee867a7b7fa8c60aa958dad0e4f68fe74f29a03dd5d2fabba0dd98c395c931d0b6b6f7aa3b75cf93c778f2555aad04c714144c24d152e0200
SSDEEP

3072:BiegAkHnjPIQ6KSEX/3HuPaW+LN7DxRLlzglKeVdLk:LgAkHnjPIQBSEvOPCN7jBeVdLk

Score

10^/10

asyncrat toxiceye def rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wsappx.exewin-xworm-builder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	wsappx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	win-xworm-builder.exe

Executes dropped EXE 2 IoCs

Processes:

win-xworm-builder.exewsappx.exe

pid process

232 win-xworm-builder.exe
1100 wsappx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4156 4420 WerFault.exe XHVNC.exe

pid	process
232	win-xworm-builder.exe
1100	wsappx.exe

pid	pid_target	process	target process
4156	4420	WerFault.exe	XHVNC.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4584 schtasks.exe
2484 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5008 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3360 tasklist.exe

pid	process
4584	schtasks.exe
2484	schtasks.exe

pid	process
5008	timeout.exe

pid	process
3360	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{7D91BB5C-065D-42C8-9EB1-811875BA6256}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exetaskmgr.exewsappx.exe

pid	process
4416	msedge.exe
4416	msedge.exe
1876	msedge.exe
1876	msedge.exe
1628	msedge.exe
1628	msedge.exe
220	identity_helper.exe
220	identity_helper.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
1100	wsappx.exe
1100	wsappx.exe
1100	wsappx.exe
1100	wsappx.exe
4140	taskmgr.exe
4140	taskmgr.exe
1100	wsappx.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

XWorm-RAT-V2.1-builder.exewin-xworm-builder.exetasklist.exetaskmgr.exewsappx.exeXWorm-RAT-V2.1-builder.exe

description	pid	process
Token: SeDebugPrivilege	4316	XWorm-RAT-V2.1-builder.exe
Token: SeDebugPrivilege	232	win-xworm-builder.exe
Token: SeDebugPrivilege	3360	tasklist.exe
Token: SeDebugPrivilege	4140	taskmgr.exe
Token: SeSystemProfilePrivilege	4140	taskmgr.exe
Token: SeCreateGlobalPrivilege	4140	taskmgr.exe
Token: SeDebugPrivilege	1100	wsappx.exe
Token: SeDebugPrivilege	4900	XWorm-RAT-V2.1-builder.exe
Token: 33	4140	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4140	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe
4140	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wsappx.exe

pid process

1100 wsappx.exe

pid	process
1100	wsappx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1876 wrote to memory of 3008	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 3008	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1472	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 4416	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 4416	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 1420	1876	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbab846f8,0x7ffcbab84708,0x7ffcbab84718
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17466660719554753444,16862722127913121902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
- C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp.bat
    3⤵
    PID:3384
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 232"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3360
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4420
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5008
  - - C:\Users\Static\wsappx.exe
      "wsappx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1100
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2484

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4140

C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"
1⤵
PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1524
  2⤵
  - Program crash
  PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4420 -ip 4420
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm-Rat-Remote-Administration-Tool--main.zip\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=i-ayhx.exe i-ayhx.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcbab846f8,0x7ffcbab84708,0x7ffcbab84718
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3592 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7960421886082533031,4178614003138916111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:3188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
82189e26c57d45de7e292966a2dade7c

SHA1
24692165dd8801f6203f32b5ef7336b0f87abe02

SHA256
49622e3f1a4e45513eacae89203a194e49e16cf4938158624ee8fef219931316

SHA512
6a4da19b81e3d48a459b3c165c8a1330f84024a8c9def78ed49d361d772d469f6f52f82b8f795e3d022536e40e52cb5b964f87e335dd5f0d237bb968498047c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
ee209a72f403d98d0685f5a23db1a726

SHA1
3ac3f9bfc036a3320c321c50357b81a5fe41f15c

SHA256
0f2343435f515970fa497ee6802498c985a8ded272ef15f3f42f86ee345b5835

SHA512
b0067e0234502a6eaef3f3283662381289340b7e7c5f5c50919efdae8a7548e7662b704bea45e699ebf8010fd4f7f646d68a5f51a41ad81305e5a68f1f228793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
d9faa51d6dc9d5d7b6ad14e493ff2675

SHA1
571129cddee3bae38db8d065e2dcbe373036d9ff

SHA256
f7577ef8d3d365fa9bfb3e80e323e50cfca7e094a78532964000157d7322a394

SHA512
28d2874abda5005f297e79192795b4355009bcbab99f2d9297214c577367cd459f5152c828501cfd30971d7c9d7f365fd1041c10ea75e46ad134c4bd09a13d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
638bbf533e5dacb486083dae73fd32f2

SHA1
794a2434542242799dbca56fd41c9b996cccea5f

SHA256
0d9235d229c3cbee74b2c1eb75a4d8e35f95cc4e9046f5392392ee7f89aa503d

SHA512
a40dfa0955f3ed5a47bb643132dfb893a88b18a0feff377aed73445834ed659aa21820b31943a475248e05c2d7121fb56806a3a4e239e8263901084d0e6184c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
d507d122a2aae9008992c46f8eb4d1be

SHA1
65b3085451a456e33bee5018ad8e402b5485f567

SHA256
ddd8133ff864177976304fca41bc2d08fa4780c0cf5046b1c15fada081d1a594

SHA512
dc969348284cf93b770412803129d5fe0afb0995439e244b4a64e8b334f10d20db47d747db914294d6fe00492c52df0da552475759361dffdc84729000771185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
30b1df70e83b0e8b99d0b00907b27aed

SHA1
06900bf71349b46336f4e71d5ff44666af206ea3

SHA256
2396fc343efc480dfd8d2b953f019bb4bc347e8839da4d9e78dd8bfa70ebfda0

SHA512
084aa81d02e5c8b8c5747de32ce63be88433e4a1d41a0fc7918aff6b9fa3a933531972758d4796517201b633a1ded0f10d5de85556ac03fb1c67bbde15a458fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
01727e28f9b69324ae3a69a08d056e98

SHA1
197de0c70072eaf329194c235dfd2370c609e6b6

SHA256
6f64263d2f3e93abbf58295bf7c5277d3210e03304045bf9a482e7bea302cb3d

SHA512
228b921ed84f05d355dbe20917e7e25496a9fed76a0a1a9e357796bd67f3fc939e8c787fd5efb99ce04f58c4e8feae6969cfaeaabcd0dbf3989a253f5dd84eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
12KB

MD5
e07951b4f8a2a9512156104039efdd3b

SHA1
5013d3281d3d7c981546177a99a922e82f7a680e

SHA256
e2d8095944ca9b2a3cf7690eb4c15ca21e6eb5f7ed5494872a45827d7c097602

SHA512
bd86ef50dd474d8dcc4eed33cc3f6d6b8940f2a624a9d21f20369cba8c159f2e5441651a1162e6a1776ed133b4846d65a71aa3b4e4da711f3db6ad715599800e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
31d0b627bb504f41d13ed4a6bb6ae7e6

SHA1
e18a6ae48161375df3dd1abb5d8f8b5088bce983

SHA256
2f90b25270a95b7044cf32e9a3186acfb8dea03f1edebee7df271c337f298787

SHA512
6b1b4955f116fc6498cccbb0a313b558f492a71f50476cc1b22fc890c74d9939975435dba1b85b6a5ce3ed1d827ff624032ce118bda3ac82d42a64f6fad25cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
132KB

MD5
f5bf8f3434d54c88ee3cf5a6816a070b

SHA1
e48e63545bc049f9fc439ba0fc3f9286fc04fcdd

SHA256
6a179c787e6fbe2b792283364bb97eb5dd6eead9354be986d365b7f2eb24bd75

SHA512
fdb08b62ca52bb1919732c25a63e67db6d28bdaf500be10a5d589d476bcde70b6c3a5d34f466849d8208961c6856b8aee960ba92be8c457107fdb1ff8e7d9d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
11KB

MD5
652c393c67312ccd4a302c40543613ae

SHA1
47f41f8aa7ce084b3ba9382ed254c60255ffc492

SHA256
aec64d19d82b82015ef785ff6458453e0914ba5ff201065ef60494d3856d1fad

SHA512
b6149cbd01e6883d100b30ae1c69afa00cb7c6fd5bf9da73b14869f4700c15a37b97056f820991e6e9835c0ce4473411a71d6c23a3ecabecbcf1bf24d0ef9691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
44KB

MD5
ab25907d692cc1ecde901cf8a8c1b148

SHA1
f19074a9b63277b4c042ea7edf8ea9a2352f79fc

SHA256
ef951a9a4ac3c6f44e91f6295b6a2f58499a840db401b8b2e41243131af2991f

SHA512
9bef60fae31dd7a5a572d104b49538a871a4eaf0d3e5fee402cfc4794c9748e09fc2ef733a854b9c174de53e9435a6d53cbb42ab7790891cd0b65b057f2a2635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
656B

MD5
1c2264e64974e7ccc13489b24df0f7ed

SHA1
d302abbd597a0b095189de65a6a152845f248713

SHA256
5c29aaef26f21859aae8273acf31d7c2134c97e6ff6e02c59294146b3505a76b

SHA512
f75f20970bc9e705a6bca37f3bf53cc0cdedc00fcdb18daf030c2ee1b606bcfa11399626fdd34f7f2fa446a270d1cd36145cb4e68715f497e40e297c7f6690df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c3c3daf7e3e15e7cf54fa40c5e6773be

SHA1
6e91c88cf12f80fa1afd2ae3cb4f686328a92577

SHA256
6a4e377e1cf82ce10447d4a8cbbb4d259120ed28b6346e4ff97e7dd5758e405f

SHA512
cfa0f8b73eea41568280af0cebe96c9c692854a4cda7dfa0042729c3221bbe1113922cdb242a3b6f022956df14a658eb181e77e16946cd74ec58ce0bbc536e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7043fdde50fa35f7a1f481a8a604664c

SHA1
d14cf93276b1c73564e68c219cb8ebdab7956ca0

SHA256
155e513d0c68f0727dade046fe79ffc00d343aca2d805232649e753ff9ef8687

SHA512
bd9a4d6dc58d9750985f95f0c3d47ee678d1c921a5cb787cb61ef24197fb3cecec83d0540077a86cdb75a2002f332b5df6d817377437c32b17d96608da7a3ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
346af01a19445636e4d7bdcc02b21bba

SHA1
4bc5c1654ba782655e128b577a4877a06f706006

SHA256
a516bfad7664fad7fc989a556e0d6c2b0897c78ce08700a5184719d3e1b1c2b1

SHA512
17e0c8d84f20dccffbcbbd04dd13234659bcbc4068216ffb98daaf48fd271294d02a3d1f9ed63b4b174118cb42c47db917607440f95306ac56fff90ea4010724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cd8a139bdfe1714272ae66ee5918597

SHA1
c1134a85a969e48d2c743e02978f9746160d3c54

SHA256
d35923a8f532495a30c333d87a72601c128b462627279756724319e5a58192d8

SHA512
990eff891abd5f209cf11b0723a9eeb28fb31975cb1a250ecf86cc0c6dd1ecc8f51d9f13c217b5cc96a0462e6897b7cd2023b541ca0ce007d546b99bbe4d74c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
282230d7dd9436abf7155789257f6ea6

SHA1
b4bf22078e6c0a2d9172c04597adcf1617e0144b

SHA256
008f4e1a0464bd6e845d75d8af4356277df41adaf4d40e8b2378ff485f0973d1

SHA512
76b458a1af4ec90b7c3a62978903db7ee4e5e6bba1b368331450286e8adb093ad1faa532a9bbefb090560fb0e65930ae99fec380d72992a213c67d5a1d18c758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ed39b06099cfc724df0921d0a8bbc807

SHA1
9de7efc2d52b86bfcd95286e1878c9a86200ca51

SHA256
da5ab8ab80178a3bc404791d0aa3d75b531ce0eba51d5183f0efe689e9d1ea57

SHA512
9bf9191e8523b505553b8cbdfae6336ff8346e68a0e251090d75107d9203578c2120b33decb97ea2823b8ec4cd4a0a69ed64342c0bc72d4bd23781cd981b04f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3fd0774593fcec7385b9fdf3b8fd42fd

SHA1
41a4b8ffc95d78592ce0bb9743ea9f644fc21196

SHA256
ee2fb8ba9cb1f9e7863ce52b372dfa6a9e0b513c33e2a2a48ae5067a1492d5a1

SHA512
c7aee060589caa4ee49920f5bdec2d562a29b4efa72278520b2d126459a056155f8e7aa554c00ea395b515448c060934720f6cc420bf69d36612efe1108c5afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c3e89848d9ca916ac0dcbea0bae73c55

SHA1
00b5f066b4a324eab1e5b213c8b8b4b3e7746eb7

SHA256
6ad1a86df0e44c725a35bfe216602bed8144694ff1611b8b733a233769c465c0

SHA512
422f9ce0ec3d5f9b1740edc17836a4acb3e33abf449d36bcc3c789a27598b56655f79ae5edcd70169f7abe6320513328a3d533a02275abdfe09f6d8a45fa63ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
b5fcb8763511bc3606f905f346e850ff

SHA1
669485adabc3b5b87636c4283066657d176ef3f9

SHA256
c13ad9ce443a972266601d67bdf09cb9961dbd020cc58f7927e0ac93f7970d9b

SHA512
53afdaec18255af729e956f005669e48d9fd1bcb038efe0d9ce172fd7fed7d3349ddc58460e76fa45713c40f6f482593818983642837b1ce637d2b387e3d7fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL-journal

Filesize
28KB

MD5
aeb8e8de291dc2a71637056739045dd6

SHA1
4a436244d7aebb07352ec8fc8398b3c970e14172

SHA256
e21de5890a82607203e5dd0ec2b9a72718d84d753367a696bcb8b0d0ed860365

SHA512
8fa6a53509d85832ebf4ca6883f295d2834e13e74abe2fb0e2022fc72e52a6664409526647046e9c383acd6e650d4968cbc3d83c6fa99caf6c4823c3704fde66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
524B

MD5
dc1cacd255ce12271882835276e0f8d1

SHA1
e4a179a82fc1c08d3633ee184c36ece65e7458a0

SHA256
7a7af2afbd2ab1ad50857bac7a4e6a7e31fe154cfb22a2751b4d4326bbc39f0c

SHA512
1c7411c1153ff3b77097a2c14b73462c938a374b6dc9c8ee499079bb89754d56d1c01a50bca1325042e3c628458ebac8da25b38d4c6c3de69ac1356027225a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
5e1ddbea46ad06ca7bb9a71f78709f9a

SHA1
3b6304e75baf2797a20a76b87a3e4e25a71406c0

SHA256
899525b36d81bc054317a2a7c376e2f88b6cba84a8e9d5af0de52c53408d9a45

SHA512
42b5ecdb08b528760d5dcf2bd16e3cfc4d97154abd703c87761e1ead1e7bae84d277d5462bda6405e485b73d522654789b265d698c72b599168bf4dd073599bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13362777713088790

Filesize
11KB

MD5
c294f4d5de2303feaae4b1eab37a557d

SHA1
70233a65da1fa092b6b896aacd301464d32de6bc

SHA256
846673db78a647c3f39244cac62fedb6312e2dc2f3cf234c2a0001f576fc55ff

SHA512
b9332e2a0828bbce169f61e03ad5f833fc6c324c1facf5f654b3deef01b4ca5c7428c3091f3ff4ca0356700b08d82a30bae998c752a0fae676a1558db159e796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13362777713245790

Filesize
5KB

MD5
e37ae22da751e1cc033ab55498d0b34f

SHA1
228f566e12f93633becac95303f8cfbc29bad961

SHA256
7fc8d74102dbe238be33f19065cdd827d121a59850cc88ac85b78296016709d9

SHA512
a0ceff2173636cd0c9aa9de7a717f087aa359d9340b83b151ec97a9409a7bc4057d7728178370856ac8523c89c1321928fcb01bc223f89265269c45cb23ab973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
208507cb58e845fac2185651d2c8a2b4

SHA1
368465403857dca8770258781b52fc2da6f9a1b6

SHA256
ead99b1ad056d9a4026099886aa0096e2c272eceaa867c67bb51770a408be890

SHA512
daed95ea6a6168323db9adab2fdac89a2933b0936f0a848965c6342984ec0f076275cbb29cd9bfa361e8a19d7e6c45ca34c5696f085d814b95c0192bcec4d0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
5d4254788fc47b01f00b94abedb0b5d0

SHA1
4f370062f32a447b8314f98b31b60a024e4adaa4

SHA256
e73291483d502a64c2f88870bb33f555d8942e41683e88b4ff792dc7abbdfdb5

SHA512
a8dac0a27dd46c823b7a5814738d20da640df3c03e20a8aeb9a4d7579690481b9026ab976591b97de2f8c1a8161ed9f693bf03becb135f37e509e4df020423c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
20e22d9a0019da518d527f3028081e6b

SHA1
6bf4faf7b2eda2d8c5f8a704b9bdc749fe13e9a2

SHA256
4070ae45f14e308ea8924d4149404dbc9adab5e2be70df010b880b32d2bc7c98

SHA512
1b55c8435decc64792a8dd5352f391c95eb72d808a28d2b2119f818cfb44f3d9c7a9bbdc7c7de9258e0ced9a1be6cab7aa8e2022aed65669e597765021e79484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f86d4ebcbb66d2467d90aef7792ada43

SHA1
f7ab7094003ab9d8057adf1eb302dfe6e8ead438

SHA256
d60e93459c21ed2125a50527ecf080b02ea022d1b01575b4c0fc8381cc1fb43f

SHA512
449635e028f8022313e22896ca42afd45bdba80a3464bcbd4f1f9950589c30e3197935c2a8cb9786457fcf2007243b30573f459f4da575ccd031f7b7ad8a9932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
f103d01a50ade0301128802774bdb1e4

SHA1
ac5181e12b00c9827ef9aba0dd34c7256e26d9cf

SHA256
b455e4da20c7190712bd5331a0a44c34a19bd5ee21861bb9d23f5a9a5822cc3b

SHA512
11f34489f0dbf42d256ad35c6675f3a320f418d5234d149577cd43a0370ed59d620c834c224d29a5da65b66754dbecfc0630219791871b2abce3b41af06a52d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
7aae266ef8bcc58ee456be9f9b0348f7

SHA1
f64cece1d3ad31bf66acfb6be51e33d96d051e21

SHA256
f6cbba82bd037ccc34b68440d9742c49f4c568b635a1873e175e79ff1a984ec7

SHA512
c75ace854c3047ae9a0c394b0aa11b37d58e931d6c386eb9f4ea7a3100d0aa5e595d88d62efb191b747aaec24fac2f10e36a5bcea7fddecaf8c710989b9e98ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
6KB

MD5
5eca3a9ffb743a8199db25394a4006dc

SHA1
665292aedd65572808c2bdc303e9f35af432582a

SHA256
bb97d7f258e06efa73a389e73a5e97decbce97eae27b0843c4b828c1656229a4

SHA512
1eb31d799dfe51465482f09df25e811ae9681963b974ec069804f731ec6c667e284c361e3eb1202a6abb789bc7e3aac98f528f3d89589617d97fb462d837a54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
bfa240a61533c7221c2afd67e9a89cba

SHA1
073e6949d825dc6c4b9d025131b6a9598f97f425

SHA256
3e8580aa2929188ba92dc8b2b7fa822a49c463587cf23ae622bcaa5b5d78f6c9

SHA512
ec8c336904a3a29b2c50c272479f18baf1a64924fd88c34cc45fb2175801e80815ddec281f0daf904a8f3ee87474cc0046e1193040a7c449817b7e41e2e8ad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
612f31b939a7285772ab57caa1208a81

SHA1
122fbba8fea39c7f928c2843fba1b1a18ee05e24

SHA256
0b14933fef3b46a4eddb97a7e7fff9bf7383a7a8169492d23c17157930a20e29

SHA512
5e1f05e3ee43f7da3d2e229a0bc7c7645864bd71e10770d4bede508d3ece574c687d498ca208973b448d7d18dc481f929ac934c888d1f5b422324e99fcbe4cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
5c5808a77ec2f574de919a31dafda7d9

SHA1
867140d6a7a0aa07dbb12381ffa69c23a5d63dcd

SHA256
c63571721cbd71a51874a25564c6c4ae26433c4c4e58a08ada87569b40610a8e

SHA512
8e9df40f2a2783eb6c0ba88e13603ef49496c8dd9a6c2e6422a15705fd849af1fa8891a8a0c941332bc76fc2093154d6b9ec7cd2df2e5afe1d41624a18fd87e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
277404aa8ffd9b1e3f1b760be48dd942

SHA1
b744b3569b378f25e2742b8d5d1f194840dafb9d

SHA256
1197776af706833c990d155e58825f77c70e77678026c12441c3f0f99b12af79

SHA512
6e002fafbb4384567619b99dba262089ed419e67cabf9b5f6dace6a0e727defe936abe063a7e0da8fd5fed742ea864ae8beef615e029dc137dd8dd865c9bf1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2a4a7644306286cf6c2318a9b15cd07d

SHA1
f631a2d910c6e084f53749ad57128d798504558b

SHA256
33af950fc5966669f9a8035e6769cfd4e678b7ae92966666c39bbf0462b26220

SHA512
38ba140e1781a15ed42c61f6961e754077bfa583b61ea6bcea2563b8a978fde259dfc93ff87c895263583c300ff00da8b575df6648fa4b42034c73eb1a888f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
80f09a26613d86897702a3a698ed68cf

SHA1
64620709c243caa515141f217bcc8af6ed265e40

SHA256
0fc7c808a69ed11f77034ba0bd7bd3a314935e52a8703e6d0f4c4ec220d963eb

SHA512
8e989f7d8e956578cd0bc115c911df963830087aee66fe0aa466c02bdd2681104ac5db90734439dcb278995c0081598e4fb9a6166efd4b785faa4f487ff5d0c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd5eeebc28dad52bf3924695c4187981

SHA1
a6037a1aef976b0df0847906187026a26dcff30a

SHA256
c3035a810b0c0fcdf1458a438991965f4fc784da089eafc9b8c77bf863123618

SHA512
cc29551f28b723c019576317f96f35efe6bf1eeada0d8a66c61644ba2636ae50bea933228843fc0f7272ac16e03f07cba5249d4a916e333554a5a357382622b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4885a93428c376eaf7904ad23ff9bff4

SHA1
9a6b1d79ef87664e500ff3a6f865903995b8509e

SHA256
6893ae222516cbb73ff98b4a5f57027d0f93443f9b244103abfacbe18d9d08a3

SHA512
5684ab300de6ab97b5975968f9df12ecfbf3ec2350dce2d19486de113c141f4bcff7b06fd818ddb55d02e8207fdcfe389415617da984a20db9a21736a33fc132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
6B

MD5
ba707af56b2b1cdb146b03c46560e31c

SHA1
beaece5c9f4f5c790a4c2bbb849b246fa69f1293

SHA256
a2fe60cac3be0504b2f4f86dfd6735c25c483850be6a159f3517380b85d6c399

SHA512
f6c6c83b5bf1a0dc164b964d206ecc9a3896190d537a9b1cdf360013c75da7a57d1a7974e87c567880eae04e9ae370bd835fcacc50b3a6fe9d71d78e92224d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
5857fbb874ece7078975703a90440807

SHA1
3b6cdf4b63bbb40887f8e91c2e7a933731b632e9

SHA256
3dc109fdc012e2e8afb3d4064563664a1a7bae21e8cdfd7d14f25190097c6390

SHA512
4e3c9439d53939c4449d8fe36b6d66e25fdab4960b3a367f72d2486cd89f59447cbaceefb3133d3b88267ced9a2cc1311511192d298fa43455c0fffcbe2c83ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B96.tmp.bat

Filesize
194B

MD5
40a755f9a0106270196befbaaa845efe

SHA1
f1da15d621715d205de39e6eabbda9e570799888

SHA256
14538a3705ce3ca502c2bd2cb47f763b87e1daf2060f23dcdc735edcebc924f9

SHA512
442f14b3d6ec745b62c96309c13308e6233695e6ee6411b4c60fa0b688b66f626e142bf2c8e23bd9fee1662d3e724419a86e11707c2abe3978300ba8432c536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe

Filesize
793KB

MD5
835d21dc5baa96f1ce1bf6b66d92d637

SHA1
e0fb2a01a9859f0d2c983b3850c76f8512817e2d

SHA256
e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319

SHA512
747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87

Download Submit
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main.zip

Filesize
5.0MB

MD5
ed997c518b1affa39a5db6d5e1e38874

SHA1
d0355de864604e0ba04d4d79753ee926b197f9cf

SHA256
8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

SHA512
50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

Download Submit
\??\pipe\LOCAL\crashpad_1876_JHRBFVNJMLVQTBNE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/232-212-0x00000215D3620000-0x00000215D36EC000-memory.dmp

Filesize
816KB

Download
memory/4140-230-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-232-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-236-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-234-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-233-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-226-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-231-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-225-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-224-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4140-235-0x0000013502390000-0x0000013502391000-memory.dmp

Filesize
4KB

Download
memory/4316-213-0x0000011A46A80000-0x0000011A46A8A000-memory.dmp

Filesize
40KB

Download
memory/4316-211-0x0000011A469F0000-0x0000011A46A10000-memory.dmp

Filesize
128KB

Download
memory/4316-199-0x0000011A2C0B0000-0x0000011A2C3EE000-memory.dmp

Filesize
3.2MB

Download
memory/4420-238-0x00000000007E0000-0x00000000009CA000-memory.dmp

Filesize
1.9MB

Download
memory/4420-239-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4420-240-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4420-241-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/4420-242-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4420-243-0x0000000006420000-0x000000000642A000-memory.dmp

Filesize
40KB

Download
memory/4960-237-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download