skuld | hxxps://gofile[.]io/d/lkw1cL @ReverseEngineeringLab

Analysis

max time kernel
356s
max time network
360s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-12-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/lkw1cL @ReverseEngineeringLab

Score

10^/10

skuld agilenet discovery persistence phishing stealer upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
A potential corporate email address has been identified in the URL: lkw1cL@ReverseEngineeringLab
phishing

Executes dropped EXE 2 IoCs

pid	Process
5132	start.exe
1836	XWormLoader 5.2 x32.exe

Loads dropped DLL 17 IoCs

pid	Process
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe
1836	XWormLoader 5.2 x32.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0028000000046416-874.dat	agile_net
behavioral1/memory/1836-877-0x0000000006810000-0x0000000007448000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046415-835.dat	upx
behavioral1/memory/5132-836-0x0000000000E90000-0x0000000001DCC000-memory.dmp	upx
behavioral1/memory/5132-838-0x0000000000E90000-0x0000000001DCC000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4fb45d48-84b5-4dbb-b534-17c47fab7c2f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241219233326.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4352	msedge.exe
4352	msedge.exe
1104	identity_helper.exe
1104	identity_helper.exe
5412	msedge.exe
5412	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5708	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5708	7zG.exe
Token: 35	5708	7zG.exe
Token: SeSecurityPrivilege	5708	7zG.exe
Token: SeSecurityPrivilege	5708	7zG.exe
Token: SeRestorePrivilege	5436	7zG.exe
Token: 35	5436	7zG.exe
Token: SeSecurityPrivilege	5436	7zG.exe
Token: SeSecurityPrivilege	5436	7zG.exe
Token: SeDebugPrivilege	5132	start.exe
Token: SeDebugPrivilege	1836	XWormLoader 5.2 x32.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
5708	7zG.exe
5708	7zG.exe
5436	7zG.exe
4352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 1072	4352	msedge.exe	81
PID 4352 wrote to memory of 1072	4352	msedge.exe	81
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 3828	4352	msedge.exe	82
PID 4352 wrote to memory of 4716	4352	msedge.exe	83
PID 4352 wrote to memory of 4716	4352	msedge.exe	83
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84
PID 4352 wrote to memory of 2332	4352	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4572	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/lkw1cL @ReverseEngineeringLab
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc0ecc46f8,0x7ffc0ecc4708,0x7ffc0ecc4718
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7a7075460,0x7ff7a7075470,0x7ff7a7075480
    3⤵
    PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6376 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1676 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=936 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4147766097192624456,11332991965512416390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9010:80:7zEvent4198
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8450:80:7zEvent8687
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5436

C:\Users\Admin\Downloads\XWorm V5.2\start.exe
"C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5132
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
  2⤵
  - Views/modifies file attributes
  PID:4572

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  PID:3988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffc0ecc46f8,0x7ffc0ecc4708,0x7ffc0ecc4718
    3⤵
    PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  PID:892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffc0ecc46f8,0x7ffc0ecc4708,0x7ffc0ecc4718
    3⤵
    PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24dada8956438ead89d9727022bac03a

SHA1
09b4fb1dba48ec8e47350131ae6113edd0fdecf0

SHA256
bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1

SHA512
03f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b712a4c83dfb3c522d032cf900e863a

SHA1
4f5bec4be6f4ebfa959e899ceafc62309bb1f141

SHA256
31da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493

SHA512
03b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f073249d4ef50b5bce7717df9540456f

SHA1
b2590ec97c263094e13591c8d6f13cd48cbcf1d6

SHA256
7d8768f953493198d4308e7e3024991fb46ed6ae6a9d1adb4a0ea511767ec802

SHA512
0e81f27050b7f4c9540c8252d90b624b413bb8ea61d0752a09f377237d76ddd5062c012a0b9e00b32b709098696948bbe9712b72ba0f53672ed6b1f2910b0609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5ec32572-d091-4007-b872-62d76e8421ba.tmp

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
fa6edee00f0a4b43035148c426bb16e1

SHA1
ab3d2f4e55da5870921867d318584942d15bd9ee

SHA256
c52445b8287c7214aa1d043932c57fb611361125e0f98d7c7e19f226e17b8691

SHA512
c4956cd3636ec112171d08924e133dc7b46370adc121b95fbd45c73fdbd332d0716a88ccf9679dfdb8a6b5cbf7d82f72f5cf5a602408818f48ceb4b333585cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1ed12104adff30fe1d13ff8c02335520

SHA1
053169f46ae54399c9645a999bc290482c4508fa

SHA256
8988daea88537af5c40c8ac498647cd0b040a57e456779996c1bb1426fbc4a6e

SHA512
d02d1169b5a8b743d7eb001552fa84e3f366e7709e4bb2f77a899997529e06652f69c8176fcbfb695eaf970afd769ddc21404ca2e6ba71e7ab97e29ef41b614b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
98459d9891684116176708afeb8cbdc0

SHA1
97f2e2786b64cb54d5d9490649ce0e83736c1335

SHA256
2c5acf06499d4e7a05f451f980bcf77eee3457fc7d39d732f1b153e185285a58

SHA512
17d9ef86c21a07efa01128307b7e47fdbf513a0789232e77f8b5d5188824ca006cb8509cbcaa75e985a5b3e3e96e575d018a1f42d9755e93d8846c2df2e38fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4c3f5bdc4c20fb4a9fc1842ecf745c40

SHA1
e70394fc3aa64985aee3e6ccf535ea634b1ac7bc

SHA256
51e45dab91cc6461644d72b25bae973519686855888a9541d61ab3e5fc87d80e

SHA512
9813ab5e0ca067d911e2de139e3b5f7e1a0fdbbe9598897493b2cff6305b323ea939bc11f7205581222e40b2e53df58c706ec76ddfbee18a2ab1d5199150fc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
33341dc2ad6ba7ab4ff564ed8f153eb0

SHA1
b720e01d317d3fa144ddd209f82c7e23ae2de26c

SHA256
ed4e6da8b490c806a52aad0a6c05e163266086ec53ea03ee1b7ec3b415496e1c

SHA512
56e5c07afb6b123a2e64b6fc25c2618caeef6241c0185cd37626f188574580b7e5b618dc8b5a33d88cd53ea531aa97043ca6bb676bc5e5261b20110046d20d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ba50c6de550e197c3c92b7cd1611fa3d

SHA1
aa436c5fbb3827eb28edb88a5ccc8083524808b8

SHA256
4637e60bad22f98e89c743683fcc42852c2b815f2b5a6c312d09209abce8cb78

SHA512
24edb5d18900f421081b1a414b4294589ada1f793d40e923a8a64bd696c9b80619f19fb42687cd47cc8807ffe7eba22648e3dbe107d6e3ade4f7b9a6c4fe40f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
492be0d50bf81c40f935fdf44ea79b49

SHA1
b943bf9882d57b555b3d5bebd6f73d7057fe9481

SHA256
219ca51a151aba3aaee14427845f6c1cdd944a487b0f6562c23425019ff95407

SHA512
84a2afb060e0bb2f7650019bfff197c52e8de78227d9b69cdce30c851e7dedb70e65fa4bc35aa907f6660d4936f741ab933a9a2e2febe58e9a6b5e90d7e81784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46bbbece41266f6408b13d8d322f47be

SHA1
53d75fc9b915236def4ba6e7b069af39669a7cc3

SHA256
9252d5c11498ed4bd4f68b2d71dbf98241803a7b114b40c84a35bd164f84d25c

SHA512
0d3f5060f3b51edb15459927cd34cc289fb86bf5125bdd883862a12af00655ec2e69188413864ca5bc5135f558bac8096b658e209e2ceba63d4412fbfacf0390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
86eeb768188b9e183fed9bdc05d88716

SHA1
5cf719641ac802d5bfcb93a293aa414195b87655

SHA256
0a934708fa6e6c2411ef306f2c633cbae8558010e38e03591ff9cc1c9cc01dbc

SHA512
19dfef09129a7479b4aa71de20ebdc6944b0456c8ded27a8fda098981342739b74799f9dda6797849aa5dc5f8685054269a0b7314a8030ca3a2e115c1e9774ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58c6f5.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9631f8669d4df5952a1db82feb47a94

SHA1
2c75b7264fe533df80b1c60a329c3cb6796173c7

SHA256
ef294796a5e56a5fd8996074cee9527b6115ed5cb434fdd5739e6d20ed13fafe

SHA512
48321332c97e8f106235905ec5269569fd319513488dbbbdfebacc41ab014a247ed9c793a851ecc10fbb4c4bffb6a8e2d9ceaa575163d223631d68e5bb61e192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ebe8cec6d9c66c1f03ee20acd3c0aa12

SHA1
d506770785d3122b2ee03b2751d097a1bd75d13e

SHA256
a53fb27424ddac6eed3e8411a97dd7b9f2007ed6a3d98cf710f95298cd4f218d

SHA512
3af0fb9c020a24ecb34474081e89da33f7b25f32e9374085abca512e88f840373a9869c05fe9b157e5672a7cdd69e16746d69362eb668e8b5985780165cf5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9e26b0a2a9f54bda16c510d54701402d

SHA1
dabf433b1404c06f3a1cdea150b864ab772fec75

SHA256
637e2c21aec0a80d80d623536385c8c1a8958945123f81cfb88ad7e857aaa8d5

SHA512
d3fc4ad78b33eacee254e81435d1f002e1ec87c5fc3349b999a8366470391b2406a9b1bfa00d3f1ac166b5a1ccf880b4331ef675acd05e848e729c4b466bdcc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3787cf54065d36b83bfb8389a847285

SHA1
995e107110ebce55d732399f1d9d2c82fd7ab14e

SHA256
89907223c144a737bf16c40ea130a574bb62dae3a7e365595bc541295d46cb1b

SHA512
d5e80c3f4a1242ee578e56a703e43b21d0d2273ef1583d3446adcdab9a9c5bbea5b3377b9a636d72a557a3f781f44d37be7512155fc61cd05239349ce477b43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d74ee946af1d2dcf5770881660e7a5c2

SHA1
3339fa405b9b5778c308e5eb0e7bc28bcde5fbdf

SHA256
3d13d965d5a21853764d08cf12f8e8abf7a43e527ffa8e14c1da719db435150b

SHA512
af8f62706b3947304acd1e3a04a10d4e51c55ae8b2329f9779d44c628b0510b935a9a5e860815cbda1eec07068004708d93500b2441d02cbf5bd55662d54c66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c045aebf943f7f5e12e79d39961a2c23

SHA1
07343adaf075a6e3539b7f265580972413f8dc55

SHA256
649473fb3781f1fcf865bc2c09edead0571aaf3447bb4c6b0d4bf3c0a3d94189

SHA512
ee3ce35545a5d4ccfeb3debd7478db78abc0a8615d14b9dc1e0880cf6bfdcada3a6d939505aab5d61e9bb28899ae9a5c662adc4afcf6eacd3bc828371b3cbedf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3e478492060a523eb85c5bd2f8ecc762

SHA1
10d2ed4e4c2834a6368961b350f4b460a19c69c7

SHA256
696bc231b971f0a1d674a170e633e0a1e4b7840ad254d07dfa1222031ea6ee3a

SHA512
b66d44f83e126cc482d53c7507cc91b6d6be0ad34fde1fa9b07bfec8364930e49eff1b9018cf1baab2a64649beabb476fc589d95ab03c4cdcf255ceca96123b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85eca930a791cbcb1373f5fdaf17857b

SHA1
ffea7d54e9803374a484f1e4c124766e80024efc

SHA256
fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c

SHA512
2ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
99a7edf9124dba808b6d025b14aea278

SHA1
f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef

SHA256
9d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089

SHA512
fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
3c630eccb8ce6645f9ae7b435b15a574

SHA1
5acf91a5b46ce4ec1a351a3bbe72f33d9f473058

SHA256
815225f8e88a16d69ddb55d827c136a093c2c797b4efb3bc088b4070929a4333

SHA512
793071eb1b59a521d005ca266e66a5a5b9d163677e74546e3cc3eff17c675e70bdca6de701e006eac9352b295f98e548c5f7329bed620dd127a53e9d65f7fd5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
921533aa0218fc61e7582d23c93894dc

SHA1
38c56c55a481f9b7e29f1286550bca93133433c0

SHA256
af28b1da1808859f240464ae3055ed634318742b48fa7479073b5244738eb32a

SHA512
9355ae431e55d7312351ae9cd870986a5e2e2022ec0422151ac74e04ff8fc0c18c10f6c6ca6a0728acddfd022f5f33df6c6e5ce68ad2d2ea744dcf4c01ed1745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73be6914f2eb92bb83157230453114a6

SHA1
a6aa158a0e954494b1d6d205153061340f4c568f

SHA256
3c5f8872e3fedd896746e5e9892644352b8948e6ef380bd29c16d5712ab0f0c9

SHA512
168db35bbb81ef02c84eb42f4e34b86ba7f7fc9c2d0ea09cad6c484867618b8726c0b5307f92926e438c67372a542cdacd550ad31a65bfc889ec22fdeaa311b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1752193fea495ece944fbc3bbec2faba

SHA1
ec6cb994760fec2123b6c09d0e1bb24a0dcf6ebd

SHA256
1a1c32562ddc3887367d10d4541d0374236ea18c5ce9fccb4a800051da465857

SHA512
f03f16345199269a0f5bebf7ffaa8942871af3b9cb03a6d8c874b41a5688e1017ab3cc9284a9d16fd3d5e055262770974fcaa38ff5ac4d7ee39e6611710b25cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5833ad.TMP

Filesize
368B

MD5
2f3a2d3231684fa3bfbe6b77eb615dbc

SHA1
dc81052dc37d56875338d0d8801f619ca477ff8a

SHA256
df6ee3e0e1bacd62966628ce8f49092b14fcab15331fe8f659ca342eadd0e3cc

SHA512
2cdfd38e0b55342caacf3cd394c86558410aece1acde8aeab7779dbe77439128376ba5c3a176062a491ccfc31830d994065a6b7f0e591bf92352f58dde965688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
35fe7a432f1b8ba46c9eaf2297f967d1

SHA1
4f872c2c02172cb8d1a2bf8596a079999353de06

SHA256
9005934f31af8a05af29e29e89f32e0814981049b3fb58c951287acc1a2b1ac9

SHA512
b871bf004e3baa17b16d9522e8076265087a304aa24b7155225219e752d1a45e122f54f1bee6617de7f611cfff255399444bd0462e606028b0da7c828ffeeb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1bb20e0760169020a835bc3d1a22cee3

SHA1
0b83e1b6ad57e87aa39b6df65f75a41b6bce0234

SHA256
77f1331bab8576938ef3fbf2102cb0b51517de364d2b27af98e96ef974d841d7

SHA512
f24002276bc97d2d3bb1f60758aafa62efc49cfdcc9e43ec322971824546e8e252b05dec2bf5e04356beb395357a85fcf0bd7aff50c437b3466d7a352d6158f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
49895861d4345b4a122eedca78635953

SHA1
3cc5baf517d96cdc6600296bbe8afdc150cfbf97

SHA256
022fbba235728ad2377aba18b65a84983fae00def0ad5914a83b0333a8f7b259

SHA512
4736ec02be8cc30b88d081896e25229d7b584d3da435085d8641645ebfd2ec76224c022d3e792f0ff7731721ac490d8931e35f68d84e4e7fc6685b12c9fb7976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ded2aeeb8d8c20e88bb5dcbac05e890

SHA1
dd4b65eb162741264c88c304ca4d24791c15cd13

SHA256
8cd8f83d444eef85448d77f4bfa0c6e2a90a7174a8f32a02a4f1bf00d7199f08

SHA512
1acd7d6e10752447f04ded127f2063c29dff36494b9aae3709a2c1f771e12dfce7a59e6e04e905c6ce4701249b4ec8ca2941258e791d5850a78872221ecba9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
02757d89bd142bca53fe2d64243f4009

SHA1
ac8cc5d598daec1bd39b7923309f4403b76fe03f

SHA256
faae738d80e87699a4aab8e9697072f655850fa615e952faef5e023731c7e26a

SHA512
64adede758db887c1556d3c3deacc22490afa30532d78f35fd882ae76bd8a2b88eba2afead0595894f9323ac28f6bb0a490a2fb876cb9c8edc9fa585c1b78099

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPjMR\aPjMR.dll

Filesize
84KB

MD5
0b0e63957367e620b8697c5341af35b9

SHA1
69361c2762b2d1cada80667cd55bc5082e60af86

SHA256
bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5

SHA512
07d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
007879da8ec6d8caa6c1e633ef50cbfe

SHA1
11939e69e40e35dcebc2cbbedf4fbdac0a011588

SHA256
4acc55e2a84a82bfb37c726bfa939cbac7aa4b1b035748f55bfd23371c5116a2

SHA512
f9067b706775f37db221bd73609f0f6917da355718317b8d82612ef20bcf5d68adbe2de51117131545ad8b470a8907e8483bfca4791b21e3881ddb2ac2ed82bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2b1e2f1dbc1f17807d838cf626279006

SHA1
7edbff773be37682aa5655bf0f8492a1ec257f65

SHA256
84644f2012776ae014c4efc92bc774fef4b726bc864cace30bf4c443ea1f3bff

SHA512
c05ff1b8378dfd7f576954b88fc7aabcaead06ca7ecea9116abb55f8117b5b26678134003d078f3003602283cb369d572091c25022d1b77605bccb1c6f57e6da

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2.7z

Filesize
36.3MB

MD5
8e391f6618b90ddcefb8048b768c20c8

SHA1
5ba1ee1aad993c5b76ba722706c146e3456e16d6

SHA256
5730c3bf3e6bc163dee6bab4660722c55eb1a4d878faa1f5b2a1c3e5929a0528

SHA512
b1358fc3f0694b84a12b1e50e049777ea2b89dc5ac3b12ac852b0e5929d8a51ed53479c2ea0e2e194faa570c370ed61bbc654cc4625d0aeb8514b44bbef08df9

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\start.exe

Filesize
7.5MB

MD5
2e62e776b7eeac3dd713f1a6da5f942d

SHA1
6516d9ef1212939a12a84a396b3c64ecea878c11

SHA256
68b1696d3c76eedc131349ecd65a23372082feb83bb66d9d9be296916910e7ea

SHA512
04c73c5505e56fd21f1a25c085c99a1c1cc19cbac8004ce3e974e05f9754c5d07051fdfa53f5a0f0b8a89c16412757b1a29cf487c552212531bcac42ead849bb

Download Submit
memory/1836-842-0x00000000006A0000-0x00000000006C0000-memory.dmp

Filesize
128KB

Download
memory/1836-877-0x0000000006810000-0x0000000007448000-memory.dmp

Filesize
12.2MB

Download
memory/1836-878-0x0000000007450000-0x00000000079F6000-memory.dmp

Filesize
5.6MB

Download
memory/1836-879-0x0000000005F90000-0x0000000006022000-memory.dmp

Filesize
584KB

Download
memory/1836-871-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/1836-886-0x000000000B580000-0x000000000C16C000-memory.dmp

Filesize
11.9MB

Download
memory/1836-887-0x0000000002E60000-0x0000000002E6A000-memory.dmp

Filesize
40KB

Download
memory/1836-888-0x0000000006630000-0x0000000006686000-memory.dmp

Filesize
344KB

Download
memory/1836-870-0x0000000005A40000-0x0000000005A5A000-memory.dmp

Filesize
104KB

Download
memory/1836-892-0x000000000CD70000-0x000000000CF64000-memory.dmp

Filesize
2.0MB

Download
memory/1836-893-0x000000000FC90000-0x000000000FCF6000-memory.dmp

Filesize
408KB

Download
memory/1836-869-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/1836-865-0x0000000005940000-0x0000000005946000-memory.dmp

Filesize
24KB

Download
memory/1836-864-0x0000000005900000-0x0000000005906000-memory.dmp

Filesize
24KB

Download
memory/1836-863-0x00000000058A0000-0x00000000058F6000-memory.dmp

Filesize
344KB

Download
memory/1836-859-0x0000000005840000-0x000000000589E000-memory.dmp

Filesize
376KB

Download
memory/1836-855-0x0000000005490000-0x0000000005496000-memory.dmp

Filesize
24KB

Download
memory/1836-851-0x0000000005710000-0x0000000005738000-memory.dmp

Filesize
160KB

Download
memory/1836-847-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/1836-846-0x0000000002E70000-0x0000000002EB2000-memory.dmp

Filesize
264KB

Download
memory/5132-838-0x0000000000E90000-0x0000000001DCC000-memory.dmp

Filesize
15.2MB

Download
memory/5132-836-0x0000000000E90000-0x0000000001DCC000-memory.dmp

Filesize
15.2MB

Download