xred | hxxps://gofile[.]io/d/kQoB54

Resubmissions

18-12-2024 12:18

241218-pgqceazlfn 7

18-12-2024 12:17

18-12-2024 12:16

18-12-2024 12:14

18-12-2024 12:09

Analysis

max time kernel
68s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/kQoB54

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Steam Checker By Scorpio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
3972	Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4836	Synaptics.exe
1580	._cache_Synaptics.exe

Loads dropped DLL 16 IoCs

pid	Process
3972	Steam Checker By Scorpio.exe
3972	Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4836	Synaptics.exe
4836	Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Steam Checker By Scorpio.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam Checker By Scorpio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Steam Checker By Scorpio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Steam Checker By Scorpio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2540	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
3556	msedge.exe
3556	msedge.exe
2700	identity_helper.exe
2700	identity_helper.exe
1292	msedge.exe
1292	msedge.exe
4952	msedge.exe
4952	msedge.exe
2340	msedge.exe
2340	msedge.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
1580	._cache_Synaptics.exe
4804	._cache_Steam Checker By Scorpio.exe
4804	._cache_Steam Checker By Scorpio.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	348	7zG.exe
Token: 35	348	7zG.exe
Token: SeSecurityPrivilege	348	7zG.exe
Token: SeSecurityPrivilege	348	7zG.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
348	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
4804	._cache_Steam Checker By Scorpio.exe
2540	EXCEL.EXE
2540	EXCEL.EXE
1580	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 520	3556	msedge.exe	82
PID 3556 wrote to memory of 520	3556	msedge.exe	82
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 2192	3556	msedge.exe	83
PID 3556 wrote to memory of 1480	3556	msedge.exe	84
PID 3556 wrote to memory of 1480	3556	msedge.exe	84
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85
PID 3556 wrote to memory of 216	3556	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/kQoB54
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d0cb46f8,0x7ff8d0cb4708,0x7ff8d0cb4718
  2⤵
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8126302328533849558,3879484678996298503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:920

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\" -ad -an -ai#7zMap32748:120:7zEvent5430
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:348

C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Steam Checker By Scorpio.exe
"C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Steam Checker By Scorpio.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3972
- C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Steam Checker By Scorpio.exe
  "C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Steam Checker By Scorpio.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4804
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4836
- - C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Synaptics.exe
    "C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1580

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
c12a7f1f022815f3aa8257df1fa61f74

SHA1
d76877733b009657488905eff2aaeb3e4b0e25c3

SHA256
233f4250d8f2dd7dc243a190270ee16616bcbac884c11006d9a01a3645b9987c

SHA512
e78775f9a8f74ef15d3854c345b94b7d233c8abce22ab1c2897c6c4304437e54cc9935cc4a339603b7f20e5aeadcc5c5d5bffcaee4cb3865ab007348b70f3055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
547B

MD5
eff9ee1a4a81161aa994ecf341bf16c7

SHA1
c9cf81b8ce40b69fc4a9174a916e89587b3ecddc

SHA256
d0a9fb172fb0d5ef21a24af2017c3daada14f8607663f689d353e77ac8f4c592

SHA512
8424250514d7e28dfef8faa1c5a50f51f00d1d0b64c28c140ab6243840aa60e9129e6c713fc58e654acd30e538e0904ae6dc2ab7434266b7278dc86c24c19f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f34272575c26041f014ccaa167b74ab

SHA1
1fcc6c8c3af09c7975ba28e1ce47f37e98ef1c73

SHA256
cd63bbb4ade5272fe518cae812d1cabf714bd0b025e3e163bad78ffbbfb6d501

SHA512
8848b3620424ec25c9758392beea15efa6899088fde79021b9803f210e721b9237489bbd553b96a7c5fb210ebacfff6217871cdd593547ad88bc3da4ddfebc9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cbcf954860ecc9d76004bb5a32d5a667

SHA1
c61ea9fe5294ac6df20f6506b25e20c02d04e94e

SHA256
ee1328baf033c678a6d32f57817350127bcc353f585fb2bbf3526fbc4ebb54f6

SHA512
aad2c0e17377b10d0e70d4320d5bffde9d289a5100ad36db5608605296a1f499383c381397cc61e65328633eab375287a57e5770a03da28aec573ef062e74360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ae8c17ae4d2cfe3b7d5d1701c4d944b

SHA1
c708f0a7f0f277dbd5315c0e2d32e6fa9b6658b2

SHA256
b92b5381c763aea0c0cccaf83bc13f3c629f20bd3f3513189773b7592bd59661

SHA512
119ddfc7029e16e412380c22135becf06b1fb37a409be9d9ef86482995ef86c0134d37a369f00d65929ad473dafc5b01ff980204ce219e0e941fbd65e2567c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6c426cc4adafcffc92cdbd5a01dc75f0

SHA1
59428928cf654a605d234834c928ebbeef2e376d

SHA256
47e707d80395b42ea7e381606f494198a12b1ac40d691a5e6f8d3304f14353c5

SHA512
830cad64594097eafcf1c95669a714e8110cc6443e7d92c4b74240dcdadb8c4618d646b56528d758efc103cc93777838c409d1ba0b1d893aaa1bfd4206ca2590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2f33216d9c806b7e78cca1e912a9e817

SHA1
1318be072fba9f42df0ce5d04214f64473767300

SHA256
884d3f0f05d407a8bbd839aed91666e108f8d301c865748660f27adb636a200b

SHA512
7cafb65c1a03326b19181e175528800efc5f7a1ad61fcf9fc0623ddacd0b836be67de8437124b33eed137d9bbede8458d8d49aa8b626741bb7837048a3c4ecb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9efab3037e449e8e83bb00e49b5d38c4

SHA1
52d80e375ffa431719d57add4044416b2793fe8f

SHA256
068be80808112f6dca2fa2a576e38d3aad598332c9b8acf81ae472de1cd6c13b

SHA512
8e020126b59d8799d012af54ddac26e103f1ae85295901282a6f2323ee254eb6b2d06ed53a834e2fad8a675d8ede7590c0bf9f96e43368a31026ea5a481151e1

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.5.0.0\x86\ssapihook.dll

Filesize
57KB

MD5
9e7f44b8f1512476aa896e977c58830b

SHA1
eddd878d9e16502ee1eb7f583dd04e01b458ba42

SHA256
8e6195b50bb0d22e4d346263f708f166db726c84884fe78a6bb477caed19e708

SHA512
ea52b71dc58e081d0e6c1336e7bf8422d7240c8a502c790075c6ebfe88f8ff70cd2bf43d34b8c604c08d867202359f8bd35c3a0b8d2eefefe826ccd2e5c8c802

Download Submit
C:\Users\Admin\AppData\Local\Temp\56A85E00

Filesize
23KB

MD5
404ee0ffbaa35c9af0404e701bf8fe14

SHA1
da59fb54dfc45611a03471bba7d5e37ba9c3a7cd

SHA256
8c35a25313514bd6e767b97c95b9433c2cb448be60053b843d6d33a0da885e7e

SHA512
87de05aad0b773ea9603b72fb7269d1eb8662af8c5214b3506e5f603da19fafeec2c03a9bea6a6d6ab643c257d24d1372c78d58d80c7c0d6794bf25d398d2e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\googSxbq.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Downloads\Steam Checker by Mr.ViPER.rar

Filesize
1.8MB

MD5
659ccac29a8ef6a918146e1585ed4288

SHA1
a06ebb0d13ea282bcc75b7bc8696cedc0a242696

SHA256
47715294a4a85e5308a26b046bc13768f3e300911875ad92b8506aa154ef1a61

SHA512
bb466106d7485dba2fb193186a771cfcbe85d2b6d1ec7a70040c8b4d4238b9ba7d101ca3aa6d294fd1f399b3596ce70902c72bd4407b1b7f0447b8166bbfc695

Download Submit
C:\Users\Admin\Downloads\Steam Checker by X-SLAYER.rar

Filesize
1.5MB

MD5
df2aa099aaaf245e1125c949431ce534

SHA1
7fff72baa77272e1e314802cca2009c3c2d38936

SHA256
e539ac53241fd8d1d1d80e4b9b97f19cd7bf6fbe9b77fd24da09717c634d3677

SHA512
7de65faf0bd0ae75535d7061910d8dbfedf947d9a374baab6ff7f4643b1d4a64ec5a26d6f534cd79808e33e9025bb61cd79c3cbfb3d0d0b007289958173eea4c

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio.rar

Filesize
2.5MB

MD5
54e9a24fb3a19ddb0cde9bdad524d8cf

SHA1
bd17493ce33aacb976881be496bd4b394cb239c5

SHA256
387b084b873eca8ed5eaa5e47e5e37fb2535dee764feb85b58b0e9b616dc7b09

SHA512
7200386f8a970d5edc218500c32026f4943833029e5cdd73e2b051ef8c169908a1602dc3ab73e5defd89a9fe6306bac3c4a2bff4fe0f0bdb2e6fe4859568fbd7

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\._cache_Steam Checker By Scorpio.exe

Filesize
1.7MB

MD5
4ef4d48dec1058e81817e236c78df04a

SHA1
9bd81c4eccf3795a49f5cf6fee063b5371788d1d

SHA256
2e26221cdc9d70eb6ddc9f3651bfb6b2fad4e705015ffdbfae231173e7a4d713

SHA512
6ebf6328abde40ae3007e8041dfd1b606fb314417857f2b6fe8da294703958ad5e978b11f090b2ae5cc7096e79e3a2505e9c8fc6f2466826a3d1152036d7d8f1

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Bunifu_UI_v15232.dll

Filesize
663KB

MD5
7d723a8eb4d7e494ea488c13510b97b6

SHA1
07f07c10e0661fa5f272a61ce69ed95c1cb251b8

SHA256
b695ac865a5df23e45ff991bf26b71e4f879c89a1a6fde0ba92f31904beaca5c

SHA512
5ff49cc06df33b65c2bfbf37d89fa6ae2b71e26046bd7cf96a374ceb840ec7d3e11761f94b0f67b9ae38e4fcb1fe836c09a0b227e4a478f775a7511eda9d133c

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\SkinSoft.VisualStyler.dll

Filesize
1.0MB

MD5
69e6563e0e7ea843e9b37d58819f4136

SHA1
4aebf9955ba0d0b5205b6b013da634aa0281a25d

SHA256
f9fa9f508b9350ed12ed3aa5b7f24aed901a6434b1b02d1f0ee301b8eea54b06

SHA512
c883bcb3f6f2ac3f2fe88eed1356178ff2b43bdeed2188aa06f35cbc9dda8745a3a5c2d28d99daae5b6ea9af46abcae45b7bd4da13f318ba31062a8e8b79a942

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\Steam Checker By Scorpio.exe

Filesize
2.4MB

MD5
64e630606dcebfdf0ca89827767923b9

SHA1
576297c8d8389ae183eec599006f607e98115401

SHA256
443f2dae5074fa6e763e3f89cd727236826ff2c53e7540f2b4f1be84cce8e288

SHA512
f74747aaea6d031dbf313e6914a960105dffbff0664272d94dc8a750af5869537cadc6edba8b1e5f1661e69c9ce107652168ec23203baab682f0dc6d13d28455

Download Submit
C:\Users\Admin\Downloads\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\steam checkerv 1.0 by scorpio\xNet.dll

Filesize
116KB

MD5
3df8d87a482efad957d83819adb3020f

SHA1
f5b710581355ac5d0de7a36446b93533232144db

SHA256
2ac175b4d44245ee8e7aee9cc36df86925ef903d8516f20a2c51d84e35f23da4

SHA512
da28c34a85a6530b1c558fa11b0e71e70710d719cd8ceaf81f954d1fe3927ec139bee6c5f3135425cc5220905240f1a31d831611c46d18f5d52600b607ea59a6

Download Submit
memory/1580-467-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1580-468-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1580-471-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1580-470-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1580-469-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2540-508-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-399-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-398-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-397-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-400-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-401-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-403-0x00007FF89CEB0000-0x00007FF89CEC0000-memory.dmp

Filesize
64KB

Download
memory/2540-507-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-408-0x00007FF89CEB0000-0x00007FF89CEC0000-memory.dmp

Filesize
64KB

Download
memory/2540-509-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/2540-506-0x00007FF89F430000-0x00007FF89F440000-memory.dmp

Filesize
64KB

Download
memory/3972-317-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/4804-417-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/4804-415-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/4804-418-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4804-419-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4804-420-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/4804-421-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/4804-422-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/4804-423-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/4804-426-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/4804-428-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/4804-416-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/4804-433-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/4804-435-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/4804-438-0x0000000008A70000-0x0000000008A71000-memory.dmp

Filesize
4KB

Download
memory/4804-441-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/4804-443-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/4804-414-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/4804-413-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/4804-385-0x00000000051A0000-0x00000000051F6000-memory.dmp

Filesize
344KB

Download
memory/4804-396-0x0000000005DC0000-0x0000000005ECE000-memory.dmp

Filesize
1.1MB

Download
memory/4804-392-0x0000000005030000-0x0000000005054000-memory.dmp

Filesize
144KB

Download
memory/4804-382-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/4804-374-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/4804-373-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/4804-366-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/4804-329-0x0000000004A90000-0x0000000004A9E000-memory.dmp

Filesize
56KB

Download
memory/4804-318-0x00000000000E0000-0x0000000000292000-memory.dmp

Filesize
1.7MB

Download
memory/4836-510-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download