Overview

overview

10

Static

static

3

playit-0.9...ed.exe

windows11-21h2-x64

Analysis

  • max time kernel
    39s
  • max time network
    41s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-11-2024 22:53

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    playit-0.9.4-signed.exe

  • Size

    4.5MB

  • MD5

    b5a2f8dde0d824b64b749f0db69d00d4

  • SHA1

    2cf1025a87a2dee9972b71f54e399e37ae75e043

  • SHA256

    12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906

  • SHA512

    107a05c44148d9b4c7ae597c94e1a99809addeb43ade7178effd83758bd443afbaf9d3008894c8e5834ac9acb308517097418bc8a5f9f0d50d25a373aa6637d6

  • SSDEEP

    98304:yJd9khieA3BPOtdBrkFVYBh7IoAyTzZwFkQoGtczBOlzp2ybcBk:yJnkvAxPO3BrkFVYBKoASaFJekl92AcB

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

147.185.221.23:24311

Attributes
  • Install_directory

    %AppData%

  • install_file

    RegEdit.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe
    "C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
      "C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playit.gg/claim/e0e9776614
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:236
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc86103cb8,0x7ffc86103cc8,0x7ffc86103cd8
          4⤵
            PID:1448
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
            4⤵
              PID:3640
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1976
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
              4⤵
                PID:4888
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                4⤵
                  PID:2352
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                  4⤵
                    PID:4592
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1452
                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2980
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                    4⤵
                      PID:2408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
                      4⤵
                        PID:2272
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
                        4⤵
                          PID:4220
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,7431695090333381532,11860418498002544252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                          4⤵
                            PID:748
                      • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                        2⤵
                        • Drops startup file
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2248
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3564
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2652
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
                          3⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1136
                        • C:\Windows\System32\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:876
                        • C:\Windows\SYSTEM32\shutdown.exe
                          shutdown.exe /f /s /t 0
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2136
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:868
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4828
                        • C:\Users\Admin\AppData\Roaming\XClient.exe
                          C:\Users\Admin\AppData\Roaming\XClient.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3796
                        • C:\Windows\system32\LogonUI.exe
                          "LogonUI.exe" /flags:0x4 /state0:0xa3a17055 /state1:0x41c64e6d
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of SetWindowsHookEx
                          PID:956

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          627073ee3ca9676911bee35548eff2b8

                          SHA1

                          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                          SHA256

                          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                          SHA512

                          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\877945e8-6f0c-49b5-a04e-3fc0ebe9bc07.tmp
                          Filesize

                          10KB

                          MD5

                          a3a84396a0b9353b79cb7e9e31a47163

                          SHA1

                          7d4cdf335deaff5843497537f11280339cfccf80

                          SHA256

                          0d087fb6b0cfb200b33cb553ef2b3165d1f69787c91680b9fb5c93aa68011e4b

                          SHA512

                          065a12fe14d1f384d400687d7db1a9ed5cc4a470e20a40e6903e82f654c73b2b76f2c0a8915946a6cd9d3f4982eeb62c8ddf12684b8e8205f230a51607b98dd7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          cb557349d7af9d6754aed39b4ace5bee

                          SHA1

                          04de2ac30defbb36508a41872ddb475effe2d793

                          SHA256

                          cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

                          SHA512

                          f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          aad1d98ca9748cc4c31aa3b5abfe0fed

                          SHA1

                          32e8d4d9447b13bc00ec3eb15a88c55c29489495

                          SHA256

                          2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

                          SHA512

                          150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          312B

                          MD5

                          649aad2193d4eba232a445432ec0c6ed

                          SHA1

                          5067b426dba66dbba779cfddac65ad955c9ba12b

                          SHA256

                          96709b40e47ee8f8e9f0bb8a0b5b859224b14d5fa6c103394ff5aa807e49b97c

                          SHA512

                          63fe2372aac1e07fd59107272a93489dcff43a2fab631b183792131cd0d75238ba3d9822f2d266ab26e0d24760bd0d98cea59b178a7ec05da373598910b1ada4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          5KB

                          MD5

                          fe73ced0d0fa57e6b98fd9abd237d96a

                          SHA1

                          f7366f0e1c3755a9f672d5398849f5fd1b5b97b4

                          SHA256

                          817ad61bb95654adbfbdc31153feeabb8158134754a96b36aae452b5ec1e3c88

                          SHA512

                          9e8213ca5bf066decb87be294099756b8bd39ed8709ad9f63456ec965bc1cdb23f7c5c718f0a3617c2f90cd0fa5bc016b9f1ee92e67da7e0efada796c5ecf861

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          4e2d85c19dfd04b4dd3d1f3c6c6290a6

                          SHA1

                          e7c665c48c08686764ebf1dedd598cb7b7283f7d

                          SHA256

                          7d344c0595378a015f1192019d688f7b75a0795fc83c41482ec9355977182b4b

                          SHA512

                          48099d0920d1738817e2cfee32b4a8d9effebb7aff6142d6f4ffa52d25307230ae33cd7d02e38d2e652a2effa48fbf39a42d875892e4933565afd1aca421bd0d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          9a8f25802d2dfa6bc39c7ffb82a1e04d

                          SHA1

                          83892b57cdacf9e9d16635aec94c6d57a96dd7e5

                          SHA256

                          58d1a32f1c5e0cc514cd39f019ebdfac572f5e66e44ee8ac6f6dc9eebd474ed6

                          SHA512

                          c28b6f2a8a713c8980bbb71d329ea2a1d64d22adaece295c8ec375b09fa08eecc3eb73c4d12eb318a7ede348ef2d2edf42ee152008fde02189c46c63afa45415

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                          Filesize

                          16B

                          MD5

                          6752a1d65b201c13b62ea44016eb221f

                          SHA1

                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                          SHA256

                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                          SHA512

                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          9d17e8585400bc639a8b261083920ec3

                          SHA1

                          aef71cce477bd67115a4e2a0a86e6b8f0f62e30a

                          SHA256

                          81fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1

                          SHA512

                          235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                          SHA1

                          fed70ce7834c3b97edbd078eccda1e5effa527cd

                          SHA256

                          21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                          SHA512

                          1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                          Filesize

                          57KB

                          MD5

                          f2a9ba24fda65a5e298a37965de4258f

                          SHA1

                          5c91e7c89233c45933ac106cd4d1110d293c9206

                          SHA256

                          6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd

                          SHA512

                          e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pevfvv1z.i1r.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
                          Filesize

                          13.1MB

                          MD5

                          da0750733bf36c61222eefaba4805dcb

                          SHA1

                          304e90d123300e646b768f1f358e59ba506b7dce

                          SHA256

                          c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac

                          SHA512

                          f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
                          Filesize

                          2B

                          MD5

                          f3b25701fe362ec84616a93a45ce9998

                          SHA1

                          d62636d8caec13f04e28442a0a6fa1afeb024bbb

                          SHA256

                          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                          SHA512

                          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                          Download Submit

                        • memory/2248-22-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2248-158-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2248-222-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2248-129-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2248-125-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2248-24-0x0000000000E00000-0x0000000000E14000-memory.dmp

                          Filesize

                          80KB

                          Download

                        • memory/2248-162-0x000000001C6F0000-0x000000001C6FA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/3068-0-0x00007FFC85053000-0x00007FFC85055000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/3068-2-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3068-23-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3068-1-0x00000000005D0000-0x0000000000A52000-memory.dmp

                          Filesize

                          4.5MB

                          Download

                        • memory/3564-62-0x0000025D59860000-0x0000025D59882000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/5060-161-0x0000000000400000-0x0000000000C1E000-memory.dmp

                          Filesize

                          8.1MB

                          Download

                        • memory/5060-178-0x0000000000400000-0x0000000000C1E000-memory.dmp

                          Filesize

                          8.1MB

                          Download

                        • memory/5060-221-0x0000000000400000-0x0000000000C1E000-memory.dmp

                          Filesize

                          8.1MB

                          Download

                        • memory/5060-128-0x0000000000400000-0x0000000000C1E000-memory.dmp

                          Filesize

                          8.1MB

                          Download