modiloader | hxxps://github[.]com/LJ9859/Malware-Database/raw/refs/heads/main/Antivirus-Rogues/Spy%20Stalker[.]zip

Analysis

max time kernel
182s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/LJ9859/Malware-Database/raw/refs/heads/main/Antivirus-Rogues/Spy%20Stalker.zip

Score

10^/10

modiloader discovery persistence spyware stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 15 IoCs

resource	yara_rule
behavioral1/memory/3372-214-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-217-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-218-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-219-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-220-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-221-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-222-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-223-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-235-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-236-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-237-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/3372-238-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/404-248-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/404-249-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1
behavioral1/memory/404-289-0x0000000000400000-0x00000000008E2000-memory.dmp	modiloader_stage1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Spy Stalker.exe

Executes dropped EXE 5 IoCs

pid	Process
4700	setup (2).exe
4228	is-ALHPC.tmp
3372	Spy Stalker.exe
404	Spy Stalker.exe
4120	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002351e-196.dat	upx
behavioral1/memory/3372-205-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-214-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-217-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-218-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-219-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-220-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-221-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-222-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-223-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/files/0x0007000000023521-225.dat	upx
behavioral1/memory/3372-235-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-236-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-237-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/3372-238-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/404-248-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/404-249-0x0000000000400000-0x00000000008E2000-memory.dmp	upx
behavioral1/memory/4120-287-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/404-289-0x0000000000400000-0x00000000008E2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spy Stalker = "\"C:\\Program Files (x86)\\Spy Stalker\\Spy Stalker.exe\" /s"	Spy Stalker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	Spy Stalker.exe
File opened (read-only)	\??\n:	Spy Stalker.exe
File opened (read-only)	\??\o:	Spy Stalker.exe
File opened (read-only)	\??\u:	Spy Stalker.exe
File opened (read-only)	\??\v:	Spy Stalker.exe
File opened (read-only)	\??\y:	Spy Stalker.exe
File opened (read-only)	\??\g:	Spy Stalker.exe
File opened (read-only)	\??\h:	Spy Stalker.exe
File opened (read-only)	\??\i:	Spy Stalker.exe
File opened (read-only)	\??\k:	Spy Stalker.exe
File opened (read-only)	\??\q:	Spy Stalker.exe
File opened (read-only)	\??\r:	Spy Stalker.exe
File opened (read-only)	\??\x:	Spy Stalker.exe
File opened (read-only)	\??\a:	Spy Stalker.exe
File opened (read-only)	\??\b:	Spy Stalker.exe
File opened (read-only)	\??\e:	Spy Stalker.exe
File opened (read-only)	\??\m:	Spy Stalker.exe
File opened (read-only)	\??\p:	Spy Stalker.exe
File opened (read-only)	\??\s:	Spy Stalker.exe
File opened (read-only)	\??\t:	Spy Stalker.exe
File opened (read-only)	\??\l:	Spy Stalker.exe
File opened (read-only)	\??\w:	Spy Stalker.exe
File opened (read-only)	\??\z:	Spy Stalker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Spy Stalker\unins000.dat	is-ALHPC.tmp
File created	C:\Program Files (x86)\Spy Stalker\is-DI21E.tmp	is-ALHPC.tmp
File created	C:\Program Files (x86)\Spy Stalker\Sounds\is-TDRBP.tmp	is-ALHPC.tmp
File opened for modification	C:\Program Files (x86)\Spy Stalker\unins000.dat	is-ALHPC.tmp
File opened for modification	C:\Program Files (x86)\Spy Stalker\Spy Stalker.ini	Spy Stalker.exe
File created	C:\Program Files (x86)\Spy Stalker\is-OC40B.tmp	is-ALHPC.tmp
File created	C:\Program Files (x86)\Spy Stalker\is-TEL05.tmp	is-ALHPC.tmp
File created	C:\Program Files (x86)\Spy Stalker\is-DV3J3.tmp	is-ALHPC.tmp
File created	C:\Program Files (x86)\Spy Stalker\is-UVL3N.tmp	is-ALHPC.tmp
File created	C:\Program Files (x86)\Spy Stalker\Sounds\is-4V5G1.tmp	is-ALHPC.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\1115-7014-E1B9-7599x.dat	Spy Stalker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-ALHPC.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spy Stalker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spy Stalker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup (2).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
4116	msedge.exe
4116	msedge.exe
4956	identity_helper.exe
4956	identity_helper.exe
1660	msedge.exe
1660	msedge.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3372	Spy Stalker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	3324	7zG.exe
Token: 35	3324	7zG.exe
Token: SeSecurityPrivilege	3324	7zG.exe
Token: SeSecurityPrivilege	3324	7zG.exe
Token: SeDebugPrivilege	3372	Spy Stalker.exe
Token: SeDebugPrivilege	3372	Spy Stalker.exe
Token: 33	2508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2508	AUDIODG.EXE
Token: SeDebugPrivilege	3372	Spy Stalker.exe
Token: SeDebugPrivilege	404	Spy Stalker.exe
Token: SeDebugPrivilege	404	Spy Stalker.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
3324	7zG.exe
4116	msedge.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe
404	Spy Stalker.exe
404	Spy Stalker.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe
3372	Spy Stalker.exe
404	Spy Stalker.exe
404	Spy Stalker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3372	Spy Stalker.exe
404	Spy Stalker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 5772	4116	msedge.exe	84
PID 4116 wrote to memory of 5772	4116	msedge.exe	84
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 5556	4116	msedge.exe	85
PID 4116 wrote to memory of 636	4116	msedge.exe	86
PID 4116 wrote to memory of 636	4116	msedge.exe	86
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87
PID 4116 wrote to memory of 2212	4116	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LJ9859/Malware-Database/raw/refs/heads/main/Antivirus-Rogues/Spy%20Stalker.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a8d346f8,0x7ff8a8d34708,0x7ff8a8d34718
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10206302736148496144,15173711225370564501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:3652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1480

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Spy Stalker\" -spe -an -ai#7zMap3600:84:7zEvent138
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3324

C:\Users\Admin\Downloads\Spy Stalker\setup (2).exe
"C:\Users\Admin\Downloads\Spy Stalker\setup (2).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4700
- C:\Users\Admin\AppData\Local\Temp\is-F5028.tmp\is-ALHPC.tmp
  C:\Users\Admin\AppData\Local\Temp\is-F5028.tmp\is-ALHPC.tmp /SL4 $601E6 "C:\Users\Admin\Downloads\Spy Stalker\setup (2).exe" 3769026 68096
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4228

C:\Program Files (x86)\Spy Stalker\Spy Stalker.exe
"C:\Program Files (x86)\Spy Stalker\Spy Stalker.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Program Files (x86)\Spy Stalker\Spy Stalker.exe
"C:\Program Files (x86)\Spy Stalker\Spy Stalker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:404
- C:\Program Files (x86)\Spy Stalker\Update.exe
  "C:\Program Files (x86)\Spy Stalker\Update.exe" /s
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Spy Stalker\Sounds\Click.wav

Filesize
1KB

MD5
fb657852643328574b448e4fc2d1463c

SHA1
97bd30f309c0ec06022c891006763f155162d167

SHA256
1873ee225b6b016ce52c6390b858bb6ed3548ac8b5b6f9e07f55a86044fe4d0f

SHA512
92201c9125d23adea19e59ca92a9eec501cfa358af25fc7f020559b588bdf0d938f1f942ca35cfe6f11c7998a8bfc8d376585f3e923b96b42e7cc52752204e26

Download Submit
C:\Program Files (x86)\Spy Stalker\Sounds\High.wav

Filesize
5KB

MD5
a63af2bd7427cb2d2d0b5a798eb772ef

SHA1
9fda92f02014ccb43bbef71143116faef4ecff31

SHA256
2f821a61e82b88757a79fbd66821939653384079a6df635a7127e5888732bfc8

SHA512
38411e02607a2e4ae6e49e60e86241e4a7854372a9130ff37e78463b67cef375ebb89e9aec38fbde48276d8549e8153fc9d2e15683ac10f31b7d076b8b12cec9

Download Submit
C:\Program Files (x86)\Spy Stalker\Spy Stalker.dat

Filesize
1.5MB

MD5
17e7b8542e8f5c4e3cbf3f42882d1435

SHA1
cde26289f5b858be40c2d624fd26515bf4176b85

SHA256
fd8d08a096edd1fd8b580f87ed2578a81104e4384134c52787c11d71f63510eb

SHA512
e5666663e46971eb5d4e8a94940890ee8570fd3c5182b83b31dc05f6c20b7d9efd611aa81eb5683101b6761fd0028c2e3e1e86b40b0db0f04a29507aece81d93

Download Submit
C:\Program Files (x86)\Spy Stalker\Spy Stalker.exe

Filesize
1.1MB

MD5
e43fdda651712d6ae49370ab13460069

SHA1
7786ea4a38d3b0b5ed50f299ff922ef3b85d0eb8

SHA256
c0fd9434cb87c0cb1558b1d57aa6afb84e3ee3bbba11afeb2c4645a2cd378445

SHA512
e2f15396a7556e84da802fab00f622b334ab3a92f34c3c021dc2c16fb5ae6ea500285513ffe805355f3eef5ff4c6a74cf1998403261f123cf825492724b31aa3

Download Submit
C:\Program Files (x86)\Spy Stalker\Spy Stalker.ini

Filesize
997B

MD5
00e0125682e298831fe11b41c2d62ee2

SHA1
48d9bccb2dd20d141821a43b34014c3f692849a1

SHA256
f9dd270498d9bb32076d0536cbc7a78766d6e872bdbe287a4bdd5e6cf7153e3d

SHA512
c24d9d04d3513ec8be800a43a2e5d6f390184c9e94f72a96ef492fa77aafc8026781e9bf16824daac2c76c974092f4af9bc3d6b77e426e10f293d35b01bcce3b

Download Submit
C:\Program Files (x86)\Spy Stalker\Update.exe

Filesize
199KB

MD5
bfc35cd7922f12845f9abd9be469cf0e

SHA1
c909c9c5b3b1297c57b07fb5558efa2421494b53

SHA256
2dcd3e1b1fb46027038655d218846338b9b1b65fd03be731f67345d143e17ac8

SHA512
643db224fe40b5a57a6394ae45cc1efeaa958da32979d1196ff476e1c393f845ba3430b0a4c6de59c2eb257f9576737e1a5463d250a885154abd38ac3aeba92a

Download Submit
C:\Program Files (x86)\Spy Stalker\unins000.dat

Filesize
1KB

MD5
8e738b097c7b98160f74625fb585b456

SHA1
2f0f67dbd9f8ccb1e22451f428128065fabe3b34

SHA256
7710aa932070c846f58029191dc1c0ec751ec4c3e1698cb8a05a96d5038c4025

SHA512
446e269f84aae94ec5a2fc625baff7c2cd33119c5a9428e8d40cb813d202fa37bec3ba205f1ba64f60c568a289fddf1570a5bc842352a38afea1350251dc028a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
307a3991f2458f2c43cdee7958880e01

SHA1
231aaecf991aaf9395c306a6e8fa97dec0013e32

SHA256
a2d9b1b09d193c16e2a51627e502a561629911bfd64559cdce0b18a7b48bb4e9

SHA512
01efa5ef806ef637de5b28a10b47b65f48d36f4b6bb7711471605f0e718efc11772348a81fe2ad478058cb7876b8c08258a5242690fec96996f36229a65af00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
5fe08bb6557ff7a52c41868e3b77b788

SHA1
492cb4c18d3f23b3e7298b912cb15bf4c314713c

SHA256
24aa23b6548e065853f00af8c7e23c4adc760de4baf0ae3abb09a77f4b9988eb

SHA512
41ce0b2ab52bf7681cd830ced0b966f310dbdf4440723480139545efe64f2f65bb22d75752da78bf9629cde1ba0ae8cd7852153a779d61012e52534f6c516b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
6e3ed2b6f06b027df34a55b555d0cc28

SHA1
77dd02de21ff074661e6f7abb97e43c2b5b236b1

SHA256
e16fad8262db4bec2be670b354c8710a64fa3b8c0b9bfecbf232952d03b0af4f

SHA512
43b2051c731b94bb069a10fdcedacff17313aba647dea410ed5fabc53279e4c5711db5998a99eed38e18953be6f22bed3afd3d249ac5165eeafe48a980132a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b5da70f8c0f61b72fa9a949653b1bdc

SHA1
7f5cf454bbda52531e361e36f469bb49382065fe

SHA256
4d108158f354bbf04e9b71f503b567c1a55c4cfa6fcbdbd3a973766c1bca582b

SHA512
1dc88909d90b7a2717bec2e4ce4329b6b4f02d8a28aa91b2532e8c6aec436627810fc115be41601d21cd0584a94900cce56b4c93b354a9d8cd307b50087b3c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89cd1c21d7d2dd5381b4b425581bb58b

SHA1
1c9c17088599bfea6448ee97deaf0c68bd68ce21

SHA256
46334d6a73ba450f19b555c66e995007a6c558d86a7ea84163be319bf0908be4

SHA512
1312888d1e6a5c30647a55b8cf459b32eb445ef9db691680e8cd5519d4427e6720ccdcf294bfae8aefb1caa8fa2a27b11725f85e88e36a3611ae441ed2e2cf0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
939e99466163a754ac02c60b4b223c31

SHA1
4e7d0359daab853e0a25ca34dd37ab5245c57c2f

SHA256
af817034d53cbb56aa7c17a3aaa2fbdc70e52069d1d56b4b2db5ead1489a3712

SHA512
26c0108fa1121e318ded8edba9a454d8217bb41ef0ea56e0ac398a827c7aa6539ab9cc67ec2a28fb0841f3150715541e8e21dd93ca5c4f23e0ceb7d3efe5fc0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
3174f7d793405566f23e07f9f49aef5f

SHA1
5dc45f1d6a9ea9438d1fd2f68e0e0176231cecd2

SHA256
6389baa31788aa81ef32989b5a9886981ce13496a069aa5124d6e7f80d909403

SHA512
1a71724e679245ebd453fa47f5941201f450524765a96c52f7891f8cd298caabdc16537ef13cc85123f3c0051eb53232ca3aeae96d80d94390b791bca3354783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
516d45c0d6acf38353b260dea7c28994

SHA1
6207bef049701b2031b9c64621f2af4479fecee4

SHA256
0a28b1a9062b42b8df33a142ce331dfd35f89bf23402ecc17b0d612428913dcc

SHA512
48cfc59f2134bd377008f2d9b7e284cb6a461d041fd1cb1af819c4c6b21b1110f5e890a7c40769a1adb50176365c4213ae3dd40a0a2816bd10437416d7a4a8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
e1f42be4c87d83294e57be3ad9338581

SHA1
d3a2810f49c0622008cac7d314158718382f31e4

SHA256
97e4812a39128d79aad8ae42bd647deb24f95cdaadb331724d47112f60c5e539

SHA512
e70185abcee1fa2595df89278449639f06239f5f93209d97ed94e3be90fc2e73ad462c0ba3624dbfee7bc536bbea657a8f63a9f244f4894d632374a8620b4d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
eeb1c018e37b6c845c476263595272cc

SHA1
583989f5770e88b1780ed2468cf2b11333783d71

SHA256
8fdab9b0528b9db3c0cdfac89c97d78d2c59a660e4291f7348d664a50237cbba

SHA512
5c4688b56beb792fca6328e0ccfef03465b8974026b3643dbd83fdaaf6c27479dced5ff63708953e9c2933d948916cad2d3ee627183dee2749b6e6e0ea23bd27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
d29ddaebb14b9f226221aed6ed8ae14c

SHA1
79a9f0c2e8715675d2e72ae4188010fccacb41c7

SHA256
7c7158976612c073be267c73383176639b8a61b52d650276d772fa9a384010f6

SHA512
9dc270bb6be3b5653833458af7b7fca360f40e97e2477daecb80372f8e6be7043dfebc9ee012f3bd362f5aa49c1d3f8a7ea0842902ad620f3598250821f9c17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
c8d2b5ba27e83b0b79c24d258903ab76

SHA1
a8ed0fecfa64c1060ed6aabc4c7d0ba426683bf9

SHA256
cb658901d24fe3d976cbbfd0c45c8881246109e263a9f96b76857a5dbd881b9b

SHA512
558ac8efd2404a25b435eb45a6725e759bbcc65c6cb101fcabcec61aac861c6421d8578c6879a0f4e47b9402b0b5d24d8a8f30d04962db269ddd76096958776f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
58dff12499ef430335f2158e598d1e50

SHA1
1325783ce0e7a1863503c1b13f51e760db795b8f

SHA256
e80c95261a6231a10158e297a07c5b31028979470982b664f58c73b42f205899

SHA512
4be558497269ac7d676704a9bff36dd08b00652ed9349b0bf5df0d735f3c248a08d2460bca39fa26d865e879b087aff08c801a6d107dd78b8c6fd8b5a4527f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc284c286f4b9e7583c79c91afb4f527

SHA1
3058c51c079276392abf3f55955625ca4a1f37bd

SHA256
64ba4e56ad7e313116f99ca6c23e8762d8d1e22b05bedbf5f06c855d9461d206

SHA512
ea006a63187bb432b5f4f05627f7cd872e648a4bd8de2ff0394c8caf7104c46d0f971711f9bfb4a7ebed7939b98214e377a5928b25024a7247932d7ac565b171

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F5028.tmp\is-ALHPC.tmp

Filesize
551KB

MD5
2a3152c6ff21197f67ca1d9360ced0dc

SHA1
5272f3d3d324b23de1b53c84ef598de494ad7821

SHA256
96b8be7cb1fec885cba93386b5b6814452efc8d0ef391385adafb34a611ab5ac

SHA512
19ba6d65a3c256c80cab767210c837197046250d769fa915b5023bf99bf53d21c56892da15ebc82891ba5fd9a45e0336fefc94ebabe5698e7911c6fabbb09cd0

Download Submit
C:\Users\Admin\Downloads\Spy Stalker.zip

Filesize
3.6MB

MD5
cf28b0108dcb4e94dfc51a2b474bc408

SHA1
3aac48935e3cb82ae30b3f7b05d8170811254e7d

SHA256
acbe06cfdc7a4893f5efccd470970a5562ab3ce68f337adca3b6aa9f66109873

SHA512
8fb2024819dd0c685a7cd04c9979d85aad336002335bf26d7ec2b354744a3b7e424fdefefecae88279d5842561174f3f5c2df725a2dce22f8232910ba509339a

Download Submit
C:\Users\Admin\Downloads\Spy Stalker\setup (2).exe

Filesize
3.6MB

MD5
0a0219c7c1d762cb920a165ce6911e29

SHA1
3fe582da104ffa1bfb01b9221ba091c976e54c79

SHA256
e01cd405963d5b330ae2dd21c7234f39199233cdb5998f8015fa0a18dccc6074

SHA512
f61763ae441d0187871201d1d9a862923ff1d3f918dad7a9680849e9a5337343727614ae63e91a73f06c2bd4ff2002cb20d6802ffe5ee38f0cc0c4f03e9a047b

Download Submit
C:\Windows\1115-7014-E1B9-7599x.dat

Filesize
14B

MD5
7202dc6b959bbb496b71c2344f0e7fa1

SHA1
93b0836920f56b229408b4c9c24857f293ccd864

SHA256
2d0cfe26395e22c92fe26a6ec1e143725aacf9f2f8461d3b4945768c39768705

SHA512
3cbc7f146cad5d0d13553eb3592ac39fd8dadbb00db707529d7758dce7cb5185e7adea97ed0165d2e402fe6b2b5912b448629a9e5873386439edff0465d2c337

Download Submit
memory/404-249-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/404-248-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/404-289-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-219-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-235-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-222-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-221-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-220-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-218-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-217-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-214-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-205-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-223-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-236-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-237-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3372-238-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4120-287-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4228-201-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4228-176-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4700-202-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4700-175-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4700-166-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download