ea8e830aee3ca762fa8d37597994acf261430d0ec3f393b1861e6e9d7ac3c552

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XSpammer_Setup.exe
Size

72.4MB
MD5

1945cc6063dc247fd43d24eabe1b7533
SHA1

d756893bc819e88de256f21bea88b8b752a275af
SHA256

ea8e830aee3ca762fa8d37597994acf261430d0ec3f393b1861e6e9d7ac3c552
SHA512

0631faf6474a96f30926784f21b9ad476ae67928028c1c68d36453e11460330b293f33280d8af117e05dda0b39f742d74a68f6d6d2dd1cee5d15f93e23201e78
SSDEEP

1572864:o20upv9u+MC29R3MBJimyyF7DGbVjnmFIq41egyeUtdOg0IXiBx22kSlM3:o20upvW3cyi7DoVjn1qQ9ylhCkL

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	XSpammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	XSpammer.exe

Executes dropped EXE 5 IoCs

pid	Process
1896	XSpammer.exe
2216	XSpammer.exe
4820	XSpammer.exe
4136	XSpammer.exe
1572	XSpammer.exe

Loads dropped DLL 19 IoCs

pid	Process
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
1896	XSpammer.exe
4820	XSpammer.exe
4136	XSpammer.exe
2216	XSpammer.exe
2216	XSpammer.exe
2216	XSpammer.exe
2216	XSpammer.exe
1572	XSpammer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
140	discord.com
138	discord.com
139	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	XSpammer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2132103209-3755304320-2959162027-1000\{18FC015E-8923-4BF5-AB8E-93888B094F68}	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
2820	XSpammer_Setup.exe
4820	XSpammer.exe
4820	XSpammer.exe
4136	XSpammer.exe
4136	XSpammer.exe
3960	powershell.exe
3960	powershell.exe
4272	powershell.exe
4272	powershell.exe
2888	msedge.exe
2888	msedge.exe
1388	msedge.exe
1388	msedge.exe
2004	identity_helper.exe
2004	identity_helper.exe
2440	msedge.exe
2440	msedge.exe
1572	XSpammer.exe
1572	XSpammer.exe
1572	XSpammer.exe
1572	XSpammer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2820	XSpammer_Setup.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1896	XSpammer.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe
1388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 2216	1896	XSpammer.exe	93
PID 1896 wrote to memory of 4820	1896	XSpammer.exe	94
PID 1896 wrote to memory of 4820	1896	XSpammer.exe	94
PID 1896 wrote to memory of 4136	1896	XSpammer.exe	95
PID 1896 wrote to memory of 4136	1896	XSpammer.exe	95
PID 1896 wrote to memory of 3960	1896	XSpammer.exe	98
PID 1896 wrote to memory of 3960	1896	XSpammer.exe	98
PID 1896 wrote to memory of 4272	1896	XSpammer.exe	100
PID 1896 wrote to memory of 4272	1896	XSpammer.exe	100
PID 3960 wrote to memory of 1388	3960	powershell.exe	102
PID 3960 wrote to memory of 1388	3960	powershell.exe	102
PID 1388 wrote to memory of 4876	1388	msedge.exe	103
PID 1388 wrote to memory of 4876	1388	msedge.exe	103
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104
PID 1388 wrote to memory of 688	1388	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\XSpammer_Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1592,8655429483603047113,11354289352872136805,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2216
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,8655429483603047113,11354289352872136805,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=renderer --field-trial-handle=1592,8655429483603047113,11354289352872136805,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass –WindowStyle Hidden -EncodedCommand UwB0AGEAcgB0ACAAIgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AHIAaQB0AGUAYgBvAHQAcwAuAGMAbwBtAC8AZABpAHMAYwBvAHIAZAAtAGIAbwB0AC0AdABvAGsAZQBuAC8AIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.writebots.com/discord-bot-token/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff37a046f8,0x7fff37a04708,0x7fff37a04718
      4⤵
      PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:2988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
      4⤵
      PID:4356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
      4⤵
      PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
      4⤵
      PID:3308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
      4⤵
      PID:404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5688 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5880 /prefetch:8
      4⤵
      PID:1136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
      4⤵
      PID:2164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
      4⤵
      PID:4148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13550341626281940969,3579807902373001015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
      4⤵
      PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass –WindowStyle Hidden -EncodedCommand UwB0AGEAcgB0ACAAIgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AHIAaQB0AGUAYgBvAHQAcwAuAGMAbwBtAC8AZABpAHMAYwBvAHIAZAAtAGIAbwB0AC0AdABvAGsAZQBuAC8AIgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.writebots.com/discord-bot-token/
    3⤵
    PID:2728
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1592,8655429483603047113,11354289352872136805,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2780 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff37a046f8,0x7fff37a04708,0x7fff37a04718
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c40d362bed26c987089aa9a5fcdb46c1

SHA1
b6aa6004c9a9d2fd86506b0c1ae536bb3291515e

SHA256
f72510baa72cec0eba74f8b83523fb4830b63b9e54ba81a833d626a406df6ec4

SHA512
5f633288cde97d57aff8427ac8415e955717e5ff7c7db39cf65fd34885b5d609a610e1bc8e6c53b6aa367d5721a82dfea16ed2aecee04d3cc1715da925c40d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3a9e5d80d812d9b2eff6eeabcd5725b0

SHA1
836ad8f91d9fa6dbb3f46cf4ad84f7a18f2d1c40

SHA256
24aabbdadafde619558b56c5bf8423572b2d7735a8cc8b5e882298e121b8750d

SHA512
118804c8395e7b18790816e8a04b8347819d329b6f0655ffc054c60974bc2795740cfc13a694eaa0099842032677b8f8abc0ad1ea2998854bddc5cf9d176232d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c933a8e69ac7b6e39003c8b1f859e9a

SHA1
3b88c65597ae0003abfaa8e3d61530be46b3cbeb

SHA256
6e9f5c9856fbf1fd5e82831e5a56d9923b278cc708adad3d47d6b1c2399dde44

SHA512
68a564d416ac769cb9c1095a97fb33c036462392cace78f8f37ff2e253b8737ed9727e014426aee800559b036467de90317e853e423d296be7f0663a2ef59817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1197db920794479f0480c45d6f9d809d

SHA1
dcbc9f520d4cc889d86ec2e22f5ac7e9ba759d7d

SHA256
335f16c97b8f6a841195873514119fe86240ec18d99e3361a96d77eb2a708223

SHA512
20a249c75d79251a890cdef52829da61e734df6304fe75c87a50c8859b3ded1baddbc6b07f239f8d25748f9ec998898988bc3b1c3c3d3b0a0115e02c0679811e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59528b.TMP

Filesize
704B

MD5
30768d266b9393cdab7c895084ebcaa9

SHA1
25e70b546d365270a6ae91d5c09845d63c22234d

SHA256
dffbcbf62a88ad9ba4aea5c083d10200bfff776cd13f52a23d7c6d75c4e98955

SHA512
0c6b57d36f0ecfc8b023703f90aefcd8192add39152f4f04fc55883a35add15a0b17242404dabef98c8e33647af5cb3b9bdeb56f664710e6e7e9ccf08e0fdcc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f4a48e43b200e413dd8f47ac924af2b

SHA1
3b07268fa73c2f758dd1e9a9b1a4c9bd0356ac20

SHA256
fdb83c206b9f8cbb0c36407e595686e7c76c3368405a0c5d9f07c5ef4a5f7548

SHA512
5950dd04f5a6c322a89f947b6d03c7a4d1e64df3d1f9cd852befd5cd07acb27a4aaf692072106be68b703d68e3f25e147f154f916bfdd219b4bc170b8063480e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\D3DCompiler_47.dll

Filesize
1.6MB

MD5
7d80738060984d160fbf47fc59143ad4

SHA1
2843e76cd63b230baafaab48370566f5e5bb7b38

SHA256
75a24a4a143b1d97797bc98d1da57096d76560cd5594ea43fd8e1e00455304fd

SHA512
d2e51232161464c1aa340a9a92800001b146c6988df90a56e99da7718eefa5a57955fa0fd3f5f99a71b42562504e7f7fbd5a16e501f5d6fd5d830e9468bcea59

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
5.6MB

MD5
86444a8ea89d88b4fb726664847f46ba

SHA1
d815968407dc5ee73a2e567c6c3a620a3250d03a

SHA256
24e98e47d1b68b8389090791f5413f09c4e0de5b7225d6adb44148a03725d90a

SHA512
7d4fe54a28bf13df2f2a23d69a5ff1f6756f50a4710fc164baa20286eab56fd9a40abe60eee095c1975e874b3b3de4aae382fe5dabd3d220c69e7b6880d34de5

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
2.7MB

MD5
cb985e6411cdf6cf1f7944b3918dedd5

SHA1
d98326982ab88f5811d0e96f7b608bb6d7f1a27a

SHA256
09da68534063cfdec138c55071b5c58ef3d40f4789172fac56b0e1f954307c89

SHA512
3012c88e9d9e99c79dd62bcd47dfc1703455f6d0722f0ce85cf2f82aafd9952ad0297ca232d1d75820f80d031daff27f299f117598625f76f84473c80a5aa13e

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
3.6MB

MD5
f5610c597ad3f5d34fcd6d8917768f95

SHA1
ffb996f7a58d14686afbd6b1dbaca3dab05eb856

SHA256
db07c5b9a452ff38df59b2c77504beafdf88f0c2b76c73444af5beb22aeef8ef

SHA512
65a485927b7706da1b30a14e613322e0287cac5113520698be0ff080a91a825ff7ef5c87c2c90aae76bc19850ae84a1a5847d7fa6ff792428acdc69850040be3

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
3.2MB

MD5
8fa4241f2e561e8269139eb8c501ed92

SHA1
783165f3c88985889f2ffb593e2ef01caece08f4

SHA256
1a5db920a7054bf1499071b3ee7e47a5351ff13ecb1f6c81cf2e296d27817067

SHA512
e855f5edb58284cd00c440e726200868674aea8c96a4f5222d0a09f0b2bc67512772635142d2f13bb698532613d3aeb8fb20e9f5558f1cba7122d29120184774

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
3.0MB

MD5
5ff3fed1adba0088984be269f99d6b6b

SHA1
fd983888560b648098497a2ca9dba4a61a72706c

SHA256
f7af3d36e89d9b55c1ed788a5d9e42951778d044a546e962ceb5d45713099fe7

SHA512
31dc15068e7c7f77fb80478d32d5c201edd3c064c659dce84e225193f88981e0d32c3c086756101e090c64e285fc2af4d61ee976f97aaf3093880e82b840b72e

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
3.1MB

MD5
ea0194d556101505f0f3658a0080a5fa

SHA1
0ea6165730196c92f1a66f88e93534927e7d952f

SHA256
1891f77b11dddd35c98f40854bcd08978c019d1f6b0948a2403dfa7d8380847f

SHA512
da24e845bea0cbed910d7b48e10690cd29c8c118d2c12c3a59747cd0e86418c44e0bbbbaddbfdd0c388480bd023c0b46f4477513845b6c2b5982b392a77ee075

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
92.8MB

MD5
5cc4c143feec9bc720afea80b5e570d7

SHA1
f45a9448d683772abf57844219bbf3536f443c7d

SHA256
5d5f9537008c07d1f81b60b3414d0859319143ba61e26feff0ab5c01cdc709f1

SHA512
f2d4032c9bd255c78f9e9de1c4f054c80c9f8da95c21772f5e7966079f895304ead5d0207cf055b65ac5fba71df51f663d376a26b6e365326531ee1db9fa6097

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\chrome_100_percent.pak

Filesize
123KB

MD5
a59ea69d64bf4f748401dc5a46a65854

SHA1
111c4cc792991faf947a33386a5862e3205b0cff

SHA256
f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9

SHA512
12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\chrome_200_percent.pak

Filesize
183KB

MD5
1985b8fc603db4d83df72cfaeeac7c50

SHA1
5b02363de1c193827062bfa628261b1ec16bd8cf

SHA256
7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b

SHA512
27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\d3dcompiler_47.dll

Filesize
1.6MB

MD5
30049cfaccd1cd28ae462bc3ad2b729c

SHA1
838cf59660e641511a663d57c896959daef01099

SHA256
09486b1f07d2a9dfea994b3a92c58a748595aa73b54f6d0b98f1c89cbeeca550

SHA512
58615ff819a033e572f8eef76672a31c7a4f89649cc74694a7da5838bcddd04ede2383df373821a30a406bf94304f48f07ca85a2cb0273b3404b7d089459f295

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\ffmpeg.dll

Filesize
2.1MB

MD5
1afa84519502666d8c9638fe38526d2f

SHA1
449c63cd2c3c5d86e74a04fa1dc6f1457638648e

SHA256
f197b19319fddac8ea895fead7273586817fcb378ed6d850ea2ef1d2d7de04bd

SHA512
4ee96d3f37e075cd85f2cc791af3bd2fd13dda2fb68e74ea4f42ecdb68684d24783abf18e60595cb1d9115415fdb1a6af1ef4fbfcc0b7778143a1e5cb88745a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\ffmpeg.dll

Filesize
64KB

MD5
1c99cf24656a6a2c72755d8ba2252a26

SHA1
32189adedf4a5d14245b51903f050dd3b0a082e5

SHA256
882313e3f6b9c9856ab06bd527237418df17bd422bbe38a75c04a613d333d788

SHA512
8fbff0dd21cf828b212d8f80d446b327d1e269cd57e289de6f8ddc7cce764f4dcc648526fcc64998ab17fce0e005cf6ad6b843161b0d3b2ed0b7e19de92a4d88

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\ffmpeg.dll

Filesize
2.6MB

MD5
4fbffa245790b44bec9149a8e50ab1c8

SHA1
49592b8a8d8c23792838e3592d2b2a6896b3d360

SHA256
c018b4f719f076acc9b8beafa7d1b84cec8680e612e0d31fd7ac6752b14a9d4c

SHA512
7a77bb6ab9a3fd2993432e63d6e69aa2730d2fb50163744618fc4d29a50cf32ce3a29fbaf3a108f03af54ddea57e51d3eecc4815a69092e148b14dc8bc77801a

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\ffmpeg.dll

Filesize
2.7MB

MD5
f42db9b6aab90c9793443758dfbdd81c

SHA1
70c88c7e612d7af4a3427b3c7f3d780dbab27458

SHA256
39133cd9234b0a5209e6b6927f1dae4d14c779b4946357d23d712347a5223d35

SHA512
35207134cc5539c5ab18d17589a7a5eb7ed169f25d11cd704ce006ada7881ea097b9b339ee1c1908102b5e352099aab57b19f858cc4644bb24d6cec163c62d78

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\icudtl.dat

Filesize
9.9MB

MD5
70499b58dc18e7ee1d7452a1d7a8bc6e

SHA1
41c5382f08c6a88670ce73a20c0dcdb3822f19e9

SHA256
02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0

SHA512
a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\libEGL.dll

Filesize
436KB

MD5
2df43c537453b453b6d4ced3317a6f03

SHA1
1a8b1fca2664fe530663c18bf8ee2e84ade96380

SHA256
67b1befb289b59fff5c28989b6643672823b85b900eca0aa4000a01ac9b9d346

SHA512
bef72725fe03cca6794c0cfc81fbaa1c858c68457ca83a4ebc98bab576b0c2544b4e02af203e43cb8bb75826e39f543fbff640c73548ab396fb1e60c610b0126

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\libGLESv2.dll

Filesize
1.4MB

MD5
d8fdf435839ea80b04977656f23f7b9e

SHA1
b5744ad8c50705456489ec09cb39719580003f28

SHA256
2c72aadb729602e130da22849bae106544cc89cc409219ff4eb5dc7cef0609e3

SHA512
6cfdac31d7f44057006f02a944124272bcc0d4c80ba2aa825ed1c7f4c3bca794048c3d06badbe18bfd19130bb4a46f1055680cc0bd19026912a2b1c93b1ac86d

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\libglesv2.dll

Filesize
1.3MB

MD5
4886435575edd8e281a753a3f301d0ba

SHA1
b7b178fde235690c422490f7915551f517b59211

SHA256
c5619cec1537cd7ffa64af085b1d54f3e4b875d549a5ab0e44e61e6691e51d19

SHA512
326a8a236b87595c24706251c77d9f6a3252b2cb8a27c75172b582a8d74ebf65ec9a2ac9e6e30ccbfa198ee84326c7534e946c7807f66c9a8d208d2f282b9c2b

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\locales\en-US.pak

Filesize
85KB

MD5
6bbeeb72daebc3b0cbd9c39e820c87a9

SHA1
bd9ebec2d3fc03a2b27f128cf2660b33a3344f43

SHA256
ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b

SHA512
66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\resources.pak

Filesize
2.7MB

MD5
3ebe1236fbad292c3d59974329fdc67c

SHA1
5a1cd1f95dc0be34dc7fec5139c046f7bd8a051d

SHA256
b97b291490666d1a33bda7e5c06c066b090b0da5103c027f4cc4e590857a6571

SHA512
82cd1a93538a0cb83c30aac5b313a88ddc1ce85e1d52ea5b3ab04801572e9a550b1cc70ad713dc3cdbf2068cc6e97a56258a9aa4b0070d8a00d7cd9488d3d0f8

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar

Filesize
8.0MB

MD5
ca0e113b16cff51afd02c2b87725ea13

SHA1
b94de2bbdd2ea8f33a734cb45fddce3cafbc1440

SHA256
a6d44f56b6098b23690e3b93841969daf6d8679f71c973b270940ff0d5e5b167

SHA512
35994058bac66c587edea1a58c0b363200210ad450181bbfb41ebe4b5f5f1e656e22ba58c1600590e551bdb4cb0f16490c2c4cc62e70e9c64aa1db17cc294f8b

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\v8_context_snapshot.bin

Filesize
160KB

MD5
b64c1fc7d75234994012c86dc5af10a6

SHA1
d0d562b5735d28381d59d0d86078ff6b493a678e

SHA256
31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790

SHA512
6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5wh4ts0k.lrh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
dd11f0cc2234d0e9495127bf7760bc5f

SHA1
8a80dabaea2291ab778fbb6f0e0a50a3a5f09905

SHA256
a8563105eb86b2e5b3394f7e5afcc1d39d5f82a9cfb04838310deccc188de0fb

SHA512
76a7b2589933f3778549085125a822b1c5dacb9359709d0c67fa4f37c55a2d8fddb5afe616de5dbe3568834772955098a9edb8c6672be7e4b2716884d082ce10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ae6a7238382cb6c4fabdcf430f006f16

SHA1
3ff09b71abbd018fbe2c114717a9e97a44b8a027

SHA256
51c959e84904cdb540b211c1e6fd0c5b4f43b3abd7019668f7d67ba8205ba646

SHA512
4663a73a76d222ef443e2a85981e8dec63858f780674231e2e57ad213c520a3c017fd1f1ca00a18f123c9ffdcfb7f72fbac090fd9b28f7112d0bb6751979cd3f

Download Submit
C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State

Filesize
188B

MD5
c5aaf170523a6627a889bb1e69137e67

SHA1
6b2fc79d37ee85634b00c52ecd795e9d1ee2bdf3

SHA256
32db68227150f833e41cd5907195c1f05637cac33fdfbf3fd8f9acbfb94dfe5a

SHA512
3712cdd5ba18a101810b6e6b24a300b0c13400315cfead2569660f4bfc977d2e8be9db6a6109ef9812043b549ff06c3f4aadfd71e5d65d21819ad7e05590fdc3

Download Submit
C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State~RFe58c54f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\Desktop\XSpammer.lnk

Filesize
2KB

MD5
2c2c365257ea5cdb1bcac96ea11ea426

SHA1
a6b9b7834463c30525ad086a5d34336724b7e209

SHA256
c21a8163b21fe60ca07f47d3cd5e578267aecc5add12ee43786696576f7302f3

SHA512
cc370379d378d34e0f77fbb750d020a86586d3ccb2caa554a1d020063df88ee9e76e30ac5704967c60323eb18e39b4cf34bd6f59c67a6a213ede45909febfaa8

Download Submit
memory/2216-259-0x00007FFF5BC20000-0x00007FFF5BC21000-memory.dmp

Filesize
4KB

Download
memory/2216-332-0x00000233BD0D0000-0x00000233BD425000-memory.dmp

Filesize
3.3MB

Download
memory/2216-321-0x00000233BD0D0000-0x00000233BD425000-memory.dmp

Filesize
3.3MB

Download
memory/3960-360-0x00007FFF3F970000-0x00007FFF40431000-memory.dmp

Filesize
10.8MB

Download
memory/3960-357-0x000001940EEC0000-0x000001940EED0000-memory.dmp

Filesize
64KB

Download
memory/3960-356-0x000001940EEC0000-0x000001940EED0000-memory.dmp

Filesize
64KB

Download
memory/3960-355-0x00007FFF3F970000-0x00007FFF40431000-memory.dmp

Filesize
10.8MB

Download
memory/3960-345-0x0000019427E20000-0x0000019427E42000-memory.dmp

Filesize
136KB

Download
memory/4272-373-0x00007FFF3F970000-0x00007FFF40431000-memory.dmp

Filesize
10.8MB

Download
memory/4272-404-0x00007FFF3F970000-0x00007FFF40431000-memory.dmp

Filesize
10.8MB

Download
memory/4272-384-0x0000020B96190000-0x0000020B961A0000-memory.dmp

Filesize
64KB

Download
memory/4272-374-0x0000020B96190000-0x0000020B961A0000-memory.dmp

Filesize
64KB

Download