xworm | hxxps://cold2[.]gofile[.]io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2[.]5%20By%20Drcrypt0r[.]rar

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

should-nutritional.gl.at.ply.gg:22817

Mutex

q0vjMgzmZTmKaa3q

Attributes

Install_directory
%Temp%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm
behavioral1/memory/5764-157-0x0000000000BE0000-0x0000000000C08000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

5160 powershell.exe
5756 powershell.exe
5900 powershell.exe
6080 powershell.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/5764-157-0x0000000000BE0000-0x0000000000C08000-memory.dmp	family_xworm

pid	process
5160	powershell.exe
5756	powershell.exe
5900	powershell.exe
6080	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ARES RAT2.exeXClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	ARES RAT2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XClient.exe

Executes dropped EXE 6 IoCs

Processes:

ARES RAT2.exeARES RAT.exeXClient.exeIf it doesnt work try this.exesvchost.exesvchost.exe

pid process

5212 ARES RAT2.exe
5588 ARES RAT.exe
5764 XClient.exe
5504 If it doesnt work try this.exe
5148 svchost.exe
5668 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

If it doesnt work try this.exe

pid process

5504 If it doesnt work try this.exe
5504 If it doesnt work try this.exe
5504 If it doesnt work try this.exe

pid	process
5212	ARES RAT2.exe
5588	ARES RAT.exe
5764	XClient.exe
5504	If it doesnt work try this.exe
5148	svchost.exe
5668	svchost.exe

pid	process
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1372 5588 WerFault.exe ARES RAT.exe

flow	ioc
66	ip-api.com

pid	pid_target	process	target process
1372	5588	WerFault.exe	ARES RAT.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2564 schtasks.exe

pid	process
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeIf it doesnt work try this.exemsedge.exe

pid	process
3580	msedge.exe
3580	msedge.exe
3740	msedge.exe
3740	msedge.exe
4840	identity_helper.exe
4840	identity_helper.exe
5692	msedge.exe
5692	msedge.exe
5900	powershell.exe
5900	powershell.exe
5900	powershell.exe
6080	powershell.exe
6080	powershell.exe
6080	powershell.exe
5160	powershell.exe
5160	powershell.exe
5160	powershell.exe
5756	powershell.exe
5756	powershell.exe
5756	powershell.exe
5764	XClient.exe
5764	XClient.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

If it doesnt work try this.exe

pid process

5504 If it doesnt work try this.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3740 msedge.exe
3740 msedge.exe
3740 msedge.exe
3740 msedge.exe
3740 msedge.exe
3740 msedge.exe
3740 msedge.exe
3740 msedge.exe
3740 msedge.exe

pid	process
5504	If it doesnt work try this.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7zG.exeXClient.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEsvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	6028	7zG.exe
Token: 35	6028	7zG.exe
Token: SeSecurityPrivilege	6028	7zG.exe
Token: SeSecurityPrivilege	6028	7zG.exe
Token: SeDebugPrivilege	5764	XClient.exe
Token: SeDebugPrivilege	5900	powershell.exe
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5764	XClient.exe
Token: 33	2560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2560	AUDIODG.EXE
Token: SeDebugPrivilege	5148	svchost.exe
Token: SeDebugPrivilege	5668	svchost.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

msedge.exe7zG.exeIf it doesnt work try this.exe

pid	process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
6028	7zG.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exeIf it doesnt work try this.exe

pid	process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
5504	If it doesnt work try this.exe
5504	If it doesnt work try this.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

XClient.exeIf it doesnt work try this.exe

pid process

5764 XClient.exe
5504 If it doesnt work try this.exe

pid	process
5764	XClient.exe
5504	If it doesnt work try this.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3740 wrote to memory of 5008	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5008	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 1040	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 3580	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 3580	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe
PID 3740 wrote to memory of 5012	3740	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cold2.gofile.io/download/web/a673e9fe-027c-4907-941f-c24137ab12dc/ARES%20Private%20RAT%20v2.5%20By%20Drcrypt0r.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bd0546f8,0x7ff9bd054708,0x7ff9bd054718
2⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
2⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
2⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
2⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
2⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9031291510583596085,1648738956294859319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5904

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27797:130:7zEvent23241
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6028

C:\Users\Admin\Downloads\ARES RAT2.exe
"C:\Users\Admin\Downloads\ARES RAT2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5212

C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe
"C:\Users\Admin\AppData\Local\Temp\ARES RAT.exe"
2⤵
- Executes dropped EXE
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1180
3⤵
- Program crash
PID:1372

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5588 -ip 5588
1⤵
PID:2888

C:\Users\Admin\Downloads\If it doesnt work try this.exe
"C:\Users\Admin\Downloads\If it doesnt work try this.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5148

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5668

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
6376e412b719ec42d766d04a398aec95

SHA1
6308115f73286df17278c4d44c7cb779a100a63a

SHA256
12e593c818fe90b5e5520803053bb2fe1e89196e5cd688b8554122e9e81fa4a4

SHA512
91506d7a6f3c9dccf023d209a190e768b90715f6d0bb5b545f20178565866994c7c42520f9aea71d1f4687f1d25885ff1c5def14297bca64df519c19e8f92162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
ad6063ef6354374fd73093899fa71a32

SHA1
598411f480fb851193bf5d322c6825a453159ab9

SHA256
78c0fa8f5e8fa36ad6eafb6286f0eb4caf9457d54d230a4099767ee51c0e8ab6

SHA512
912ba2b07360117409ce1781c80de9a89531c84b7ff55d12f2a66b19dbd1775167a7530eb8807c57a74b1c822de9ab62179d009b6713d0015b29e1e586b7e0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
43d4cc41a89f365c2208f447b2d96f52

SHA1
0932639c6edc5326f47d674e0340099ef9f0150f

SHA256
ab348cddf74888a50de2ea2f19ac5213ced9b4e701d224109b10761be8fb2576

SHA512
fe417d907597ae06d6236f6902eae59434badc001013448c8e5132963b5e1f2ba2e82709c432b4c9281fadcc5be7cabea024f2f5af6e9605428cf921f511d941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
eb21c0edf1a3b55d8b3136e41643553a

SHA1
8982e7f651a15388267c78a0ef881a8eaa06ac19

SHA256
4b259ba144273d59101bc7830bea31d67b808750b4ba5744cfc23cbe283d10aa

SHA512
8e3af6636f163c77c68178c33e674211b14efdf53c89898c1df54f81a38c00fd880148cfbbc7d090ec5c04360d57c3e19efc9c4d646884cd84ae1cc44bb47118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fc6cc3ffa7e6aad4e64daebc7dd8ca0c

SHA1
34d5325fe6e8024966775f786a2abb5f6218dbcd

SHA256
7e14689300ad45aef9242eeac87715ff53ed06ce1d7c51b271fc54daae89a4d0

SHA512
6a49c406e03d174e54053a0c304ed5cf74c35f42c27b03ec6c532b32305b37f765b76b5ecaac51e1f2c0d228f048b1408fc30b453a353935e4adbb3883df80f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e105e5d556d70660607dfc614ce68007

SHA1
fc6c17f0bde9c266b02bca74035bd85f675c87bf

SHA256
fef999034800fed5e04cb0a677e9f3281fe923b05f6bc271d2d8f807be7e1fbd

SHA512
ab3727092a6c4e47cc1a7398f7ad2029e33cdbe98bf22de1211b7a350908aaabac43631f6e0d16baeffecfd2d03669bfa4811067cc4efa7a842416a8c5548eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.59444.6\x86\ssapihook.dll
Filesize
57KB

MD5
9e7f44b8f1512476aa896e977c58830b

SHA1
eddd878d9e16502ee1eb7f583dd04e01b458ba42

SHA256
8e6195b50bb0d22e4d346263f708f166db726c84884fe78a6bb477caed19e708

SHA512
ea52b71dc58e081d0e6c1336e7bf8422d7240c8a502c790075c6ebfe88f8ff70cd2bf43d34b8c604c08d867202359f8bd35c3a0b8d2eefefe826ccd2e5c8c802

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe
Filesize
139KB

MD5
7236c15c27e7e63a179e4fc935e2aaf7

SHA1
2eb5ac67a7942a2b7b9a64942b4c621367f61881

SHA256
e4f859e199ed7f9933f7da654947cf04ec6c91367d53f6f0fc31f8b1872ac9a0

SHA512
845b9a6abbc9e4d5fb2121a7f1ccac892557d7c2fa57752226264e268254483a0b4184e3f0398c0fc22a009b81b9e7cdf6071146ab18afd563eabb13dabfde7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyslrzyq.1h4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\SkinSoft.VisualStyler.dll
Filesize
1.0MB

MD5
60ac512e63a6b95eb37cfd530a01b94e

SHA1
4b5a1fa50008439ac074d732447ab9032a157114

SHA256
9f3e7ea22d052fee0e5be8cd904ac4425f3840df7452c760d5cc5357830c394e

SHA512
a6cbf2f1f6eedcb142aeca7218334dd16058b9f643e51cee4771e1a0f7124676361deac0c48d61468296e88035e4dd49b55fd139b80ece54c86c0338bdedd681

Download Submit
\??\pipe\LOCAL\crashpad_3740_RQRDRGHVWUTFOBLF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5212-133-0x0000000000760000-0x0000000003CCC000-memory.dmp

Filesize
53.4MB

Download
memory/5504-235-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/5504-234-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/5504-291-0x000000000CB60000-0x000000000CB82000-memory.dmp

Filesize
136KB

Download
memory/5504-244-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/5504-243-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/5504-219-0x0000000009980000-0x0000000009A8E000-memory.dmp

Filesize
1.1MB

Download
memory/5504-220-0x0000000009EC0000-0x000000000A214000-memory.dmp

Filesize
3.3MB

Download
memory/5504-242-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/5504-227-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/5504-228-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/5504-229-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/5504-230-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/5504-231-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/5504-232-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/5504-233-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5504-241-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/5504-240-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/5504-236-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/5504-237-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/5504-238-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/5504-239-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/5588-159-0x0000000008D30000-0x0000000008DCC000-memory.dmp

Filesize
624KB

Download
memory/5588-160-0x0000000009380000-0x0000000009924000-memory.dmp

Filesize
5.6MB

Download
memory/5588-161-0x0000000008DD0000-0x0000000008E62000-memory.dmp

Filesize
584KB

Download
memory/5588-163-0x0000000009120000-0x0000000009176000-memory.dmp

Filesize
344KB

Download
memory/5588-158-0x0000000000DE0000-0x00000000042E4000-memory.dmp

Filesize
53.0MB

Download
memory/5588-162-0x0000000009060000-0x000000000906A000-memory.dmp

Filesize
40KB

Download
memory/5764-157-0x0000000000BE0000-0x0000000000C08000-memory.dmp

Filesize
160KB

Download
memory/5900-164-0x000001FAE2CE0000-0x000001FAE2D02000-memory.dmp

Filesize
136KB

Download