mystic | 8ef8f16ee0260550a5e9b83d9e01c38ff725b2ae1e9640795d38235c1857680b

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe
Size

1.4MB
MD5

c884a128e4fd875c57886af1d22b7abc
SHA1

4ca08d377f421a6559febd155d95b6b83ec92671
SHA256

e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf
SHA512

66935b3026202ffc9703aea5f2fe2d961806619d835ba49ce63aadc6d99bc74b6672ad5ded3160dc55cf7e9cd22fe3233cea6f8e4b391a7df06e54fa6e7c9c17
SSDEEP

24576:2yvVa6RnDcXOGflJST7j9DiGlhHuMepNFxRzPaljDaGtvMSL/yJlqlh3c5:FvVVDcXn9ojNJlIMepNF3Mt/2Jl

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3092-33-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3092-34-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3092-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3092-37-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2952-52-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	5As4gQ9.exe

Executes dropped EXE 8 IoCs

pid	Process
2064	Uj2pM83.exe
3408	Pq4YU94.exe
116	kk8SI89.exe
1228	1iQ06oE3.exe
2068	2xB2299.exe
1928	3Ip67ST.exe
4036	4zT159yC.exe
564	5As4gQ9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Uj2pM83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Pq4YU94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kk8SI89.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 2876	1228	1iQ06oE3.exe	92
PID 2068 set thread context of 3092	2068	2xB2299.exe	100
PID 1928 set thread context of 2680	1928	3Ip67ST.exe	107
PID 4036 set thread context of 2952	4036	4zT159yC.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
876	1228	WerFault.exe	91
1312	2068	WerFault.exe	97
1932	3092	WerFault.exe	100
4664	1928	WerFault.exe	105
2004	4036	WerFault.exe	110

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	AppLaunch.exe
2876	AppLaunch.exe
2680	AppLaunch.exe
2680	AppLaunch.exe
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
2744	msedge.exe
2744	msedge.exe
4004	msedge.exe
4004	msedge.exe
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3560	msedge.exe
3560	msedge.exe
3488	Process not Found
3488	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2680	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	AppLaunch.exe
Token: SeShutdownPrivilege	3488	Process not Found
Token: SeCreatePagefilePrivilege	3488	Process not Found
Token: SeShutdownPrivilege	3488	Process not Found
Token: SeCreatePagefilePrivilege	3488	Process not Found
Token: SeShutdownPrivilege	3488	Process not Found
Token: SeCreatePagefilePrivilege	3488	Process not Found
Token: SeShutdownPrivilege	3488	Process not Found
Token: SeCreatePagefilePrivilege	3488	Process not Found
Token: SeShutdownPrivilege	3488	Process not Found
Token: SeCreatePagefilePrivilege	3488	Process not Found
Token: SeShutdownPrivilege	3488	Process not Found
Token: SeCreatePagefilePrivilege	3488	Process not Found

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3488	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2064	1036	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe	87
PID 1036 wrote to memory of 2064	1036	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe	87
PID 1036 wrote to memory of 2064	1036	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe	87
PID 2064 wrote to memory of 3408	2064	Uj2pM83.exe	89
PID 2064 wrote to memory of 3408	2064	Uj2pM83.exe	89
PID 2064 wrote to memory of 3408	2064	Uj2pM83.exe	89
PID 3408 wrote to memory of 116	3408	Pq4YU94.exe	90
PID 3408 wrote to memory of 116	3408	Pq4YU94.exe	90
PID 3408 wrote to memory of 116	3408	Pq4YU94.exe	90
PID 116 wrote to memory of 1228	116	kk8SI89.exe	91
PID 116 wrote to memory of 1228	116	kk8SI89.exe	91
PID 116 wrote to memory of 1228	116	kk8SI89.exe	91
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 1228 wrote to memory of 2876	1228	1iQ06oE3.exe	92
PID 116 wrote to memory of 2068	116	kk8SI89.exe	97
PID 116 wrote to memory of 2068	116	kk8SI89.exe	97
PID 116 wrote to memory of 2068	116	kk8SI89.exe	97
PID 2068 wrote to memory of 844	2068	2xB2299.exe	99
PID 2068 wrote to memory of 844	2068	2xB2299.exe	99
PID 2068 wrote to memory of 844	2068	2xB2299.exe	99
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 2068 wrote to memory of 3092	2068	2xB2299.exe	100
PID 3408 wrote to memory of 1928	3408	Pq4YU94.exe	105
PID 3408 wrote to memory of 1928	3408	Pq4YU94.exe	105
PID 3408 wrote to memory of 1928	3408	Pq4YU94.exe	105
PID 1928 wrote to memory of 2680	1928	3Ip67ST.exe	107
PID 1928 wrote to memory of 2680	1928	3Ip67ST.exe	107
PID 1928 wrote to memory of 2680	1928	3Ip67ST.exe	107
PID 1928 wrote to memory of 2680	1928	3Ip67ST.exe	107
PID 1928 wrote to memory of 2680	1928	3Ip67ST.exe	107
PID 1928 wrote to memory of 2680	1928	3Ip67ST.exe	107
PID 2064 wrote to memory of 4036	2064	Uj2pM83.exe	110
PID 2064 wrote to memory of 4036	2064	Uj2pM83.exe	110
PID 2064 wrote to memory of 4036	2064	Uj2pM83.exe	110
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 4036 wrote to memory of 2952	4036	4zT159yC.exe	112
PID 1036 wrote to memory of 564	1036	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe	115
PID 1036 wrote to memory of 564	1036	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe	115
PID 1036 wrote to memory of 564	1036	e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe	115
PID 564 wrote to memory of 4824	564	5As4gQ9.exe	116
PID 564 wrote to memory of 4824	564	5As4gQ9.exe	116
PID 4824 wrote to memory of 3560	4824	cmd.exe	119
PID 4824 wrote to memory of 3560	4824	cmd.exe	119
PID 4824 wrote to memory of 532	4824	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe
"C:\Users\Admin\AppData\Local\Temp\e06b8524545855f3bf88df52616feb140a1b40f5ae120c8f4ca6e886baf9ddcf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uj2pM83.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uj2pM83.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pq4YU94.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pq4YU94.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kk8SI89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kk8SI89.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iQ06oE3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iQ06oE3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 568
        6⤵
        Program crash
        
        PID:876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xB2299.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xB2299.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 540
        7⤵
        Program crash
        
        PID:1932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 152
        6⤵
        Program crash
        
        PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ip67ST.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ip67ST.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 152
        5⤵
        Program crash
        
        PID:4664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4zT159yC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4zT159yC.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 580
      4⤵
      Program crash
      PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5As4gQ9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5As4gQ9.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D78.tmp\9D79.tmp\9D7A.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5As4gQ9.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffeac5846f8,0x7ffeac584708,0x7ffeac584718
        5⤵
        
        PID:4844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        5⤵
        
        PID:4732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
        5⤵
        
        PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
        5⤵
        
        PID:4408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
        5⤵
        
        PID:4036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
        5⤵
        
        PID:2592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
        5⤵
        
        PID:3496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        5⤵
        
        PID:4352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
        5⤵
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
        5⤵
        
        PID:4796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13429770791459424309,5073250073858734894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2
        5⤵
        
        PID:4484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffeac5846f8,0x7ffeac584708,0x7ffeac584718
        5⤵
        
        PID:776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1504,8330581720560104055,18173290838500081892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,8330581720560104055,18173290838500081892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1228 -ip 1228
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2068 -ip 2068
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3092 -ip 3092
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1928 -ip 1928
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4036 -ip 4036
1⤵
PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
788dcf67b79eb8f0087832dc7db1e709

SHA1
e433abebfa09c58c3d5321124a935a39f8ffbd1c

SHA256
1d08c922606a3ab02bb2d9df1f3f404877ff94bbcec5b5e8b62f8e96a40b70c0

SHA512
75b6d41cb173c59fd66f6c57e4614c22549e59f537ddfbf97168abd5fc958c4f87eaffc444546ef2248cd69b5360a705bd72467f068880fa3707f43e77b79809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cb185a64639d989f8bdb45b1f53dcd72

SHA1
a3364cc69e4b918255aafd48749681676a8686e8

SHA256
60fbc6d51c9a5a6907ffd057a2936666758831016f68a8507a60f1e174ea4535

SHA512
f68fcfa173d211cc8f271061a7bf9e48d5da2920d4873e0e0b1d8c7d09be1a3fa2ad418e53c4d25b0a41541b30e9ce68c287c14b16ac7ec204998489325d2b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0416d490621c3a6c13f22b97f8b5fca7

SHA1
ce0b8ca5449776e9593ec49ba8b8e019c6adc699

SHA256
e6792e6c1a0d97fc4bea3d2b273ec740b26ac7befbc166171e9373f59aebcfc8

SHA512
22d1dbad2170dd667ca5c2298099b473ba61a253159cb2070693301786035a295954fc6404d4015c1c97d58158cd5e4a00e55e20a1cce1c40fa322ef0397f6f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7164f3014d14e99f2477502edc1f008a

SHA1
3d1cffa55bc0f9f06ad3e53b702bd69f249d5724

SHA256
303b0ccf60cb5ec9bd46bf49a2d7faf4a464b36469263942ca76def2fd4369fb

SHA512
92442b3ec403a153ff659ccf1988d692080f42e0596a2cbfc048057f573be57f40092bc153e6bc62ecd4f7432ddb61a810373c98b0d6cb8b44ed728dae1bbb62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
816b3786265e67d7e2a451abd43b818f

SHA1
d2fd639d62cab740b982ed0c52b59925f1dd8f44

SHA256
0061f12812e7be09bf195c7265514e82092771241d05e0c94041216dfa139d4d

SHA512
c32beb4582bfa012ef14a648809e6ea73b9cb182d4576aa0d239a1039335a90fc33eba37df8cbfd001023059109dac5748dc33ccafd7ef8fbb37e969dbba7bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
2b75ee762acbce20e708b1f4b672796b

SHA1
4ea200b712714dd4cf3d729dd926cf6d84765f32

SHA256
7e8c839df8a0e4cba79793060447a8ef006dd494579223c15072a942798af25f

SHA512
95f2ccd20e48589a1471384718f96cd6834e8f17b086d468ed106cbc104a3daede1f9161b8b52e2f533433a8f9c9a4367f6d8e07964aa652254eae4219ad8409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
f1a177f16f76bff3ff723436bf79de0c

SHA1
2e26da62547e281bb362d06979315b5a9115d6e1

SHA256
2e96b35f4792abd76fd1f771e2e27a5c9e7dc4603643278a6e51c8a26cfa8225

SHA512
f4226600beb13ed7da9aff340dc1cd97871efcb289fc4a23b14bf0494fd7f0d65b13cced4ac2c91c59d26f2c43c3e37e7ac0bd64f4405fcfc69c70f7b00e1a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
540f77d7ad5dd768a38d3ff46d8baf1b

SHA1
4db6bd6baf17c2d1328df684b94ba27e2e72e489

SHA256
d8fbf089571d8d491bb1506815c8dc2bbd48593d932dd311ea606c27d79b9180

SHA512
5847bef4c5d501c08c882a42b717bf16bbf8b96004d05eb3d273c94f0642dafaa89eb99c5316ca4e2d9ef497430e21fbb50f91da88e6457f4ec7ab0b88767963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f8e7.TMP

Filesize
872B

MD5
7f5db37762b3664236519ab9f4acf92d

SHA1
2336cfed99a5329f4975a83a1f19dac36a4931b9

SHA256
5dadaa2b259f02302c2012c8b9bc498407cff64641c35e05ecf9afd0281c04fa

SHA512
79d99bebb058cd1ab0691c2fb46aec25101b2c535e19cda2dc604db364ef7de1492b758dfce002ebf070f14b1b9e88192393b8d838ec4dc14a35c5cf35cb2ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c79fdc11-5cea-482a-b716-67718c71fc0b.tmp

Filesize
872B

MD5
8991d4f0346ed452852c5b557e717893

SHA1
d51ba3e58dcafa700fea2d8f3bb59c619a7e79f7

SHA256
ab62b8970f65ae8e2e5eb0b0a418e902f870b28e9073bd8e57d23e5639f725d4

SHA512
b7f329fa5c423170816077ae3b4f0ffcad73166a45e946b18c827d945c9b5d0ca313aacd4b20673d92317e49125a32582f781479bd97ff58a3b1c6e70a9370b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e0548c1174c20d4c48dac5ce3cacec2

SHA1
840cbbd2deb63619abe69d3325a4d7b8405822ae

SHA256
e28179626763828e77ef3421d889fefecba5dc82f6fadcc6ff3588004245d36d

SHA512
26e9db303cb0568bf6986c3f89d0ab859474832bdf9170cee87195783188895941af4df5b113138fc6240f55d8b2dc70699bc208bdd60b04e93811e1c802fb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ca8e80220d31c5cb08ff6cb98c9a5c54

SHA1
9f12828be0245019223556f16b76d3ee7c80aeb8

SHA256
1110ba11db2951cfb17cb85ddd6625f7abe940cb001b2732c731c0255e82b503

SHA512
a4d4c2580952548bc4d37a2a953d1aab89c374c7460036d47c021743c61a8e641d6d532db1a420bd3206c420429637e5e2c4469ba45581bbb943fd7d31ef8ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D78.tmp\9D79.tmp\9D7A.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5As4gQ9.exe

Filesize
98KB

MD5
b6218c5229865c5c2c1853981627e29c

SHA1
427281990bc5a4a6549b4ee8dc8c5c55905f1c48

SHA256
4a61a3e5e063f1c48c8401a8580aea65811a342a812648b1aa1032735a89b7a5

SHA512
e082a5a8fbaf20e1344dbd759cc72ae7f1df836d15f661ce2710d8825c6d5d075aac2c8ee5ad660b41dd9df86e5213498a7489f6a38476221a024948bdf5c434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uj2pM83.exe

Filesize
1.3MB

MD5
8e8debb89b1a63efb84a835f5740b116

SHA1
6ab3582df149769936749a7f16a5d19bfc63b509

SHA256
3e5708e09588dd3098fb969b999671947a8f86759a2014156c181bf36d109263

SHA512
265f0540050823e31927c5f86ef2e46c193c84dfb92d453dbaf42896f065ef33385c86ff3c8d2844f310cd83f9b01dcf4fafba257e646e639e7b72ff3358d47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4zT159yC.exe

Filesize
1.1MB

MD5
d3caddb6c358ccdc8f22be1e85043493

SHA1
88a8169e207b173b9e5b939f4518d781272e4830

SHA256
6947d53f57fe0efbf503900ec868ddd312dcefbbdf920499a18f58a32dd9642a

SHA512
edbfd3d74d418b7064f34a77415f8828b86089d40dd50aae90efab3e48c3c4dcdfc06b2b06c8172a932a5c7bd2cd91b9e9266654e3da5a6b25fc33d224c2e1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pq4YU94.exe

Filesize
894KB

MD5
b2d61fdbf8db9d031318e9adf4c6598e

SHA1
de5ad7a867077bfb8004ba5131d3ba250ba1645e

SHA256
b60cc4ead4b90a1b43cef2178b00f6470e5daf063605ba1718488b1d0adc750d

SHA512
da61f56b651d8fe1f2fb393dc9649fb27bc2b431df6779c328b524835d8d739537dbeaa34a99e2d7a9d98c2384ce327a0c45122bec1aeb82ea403aa14e5f280b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ip67ST.exe

Filesize
896KB

MD5
5955796fd577ae102ab1053237cd9a24

SHA1
88ef00934634913e111e961ebbe3ab5332516682

SHA256
b70082f3b7c4bf2ada1e680f0716f809712dc16a4f84c3708bff2ba274e893d3

SHA512
c5107dfb2dcdfb7599d091445fcac8fcb703c6ef62db5e68c29754a3772d36c3825e95257598ffd67647de7c6400800d0cede56a1fa75b0ee141598560f3be07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kk8SI89.exe

Filesize
533KB

MD5
26fc1f2619b71b7dab975a6352bf8392

SHA1
5423764ce09928ca5d99899a12920c524a7f2980

SHA256
cceb77339659b1781c73e4b56870fd2722ea9a264ef73ee1172d128106d3a370

SHA512
92b8932cca65a93211f71b78add71816d2f4f6b0af75bafb1b647289ad83cb9cd2e9bb9544baf50815a56a00f1944ae0d797131ea0422d33d7bfbd5d37b41ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1iQ06oE3.exe

Filesize
232KB

MD5
3ff825411b1fe07e712a5dcae34f80eb

SHA1
e3e4358cabfa74d6e36e26754b01ed78434a6877

SHA256
69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

SHA512
325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xB2299.exe

Filesize
1.1MB

MD5
8d15a348ad813197bb521ce7f64c0899

SHA1
903c1939dd61cded08699ac19b68e0f281a7da0d

SHA256
6117adec16a9c87635de79a643124d3f31ca6b4b8e750f95f226f37787b66b15

SHA512
6a01b04ac4211aad49314bc3132faec59f159fa73cb4775ea52f480c9ad059602612e9f62bd5223b06ac45d00d2c2d2cfb430d15d8642dbf5206903d2236c965

Download Submit
memory/2680-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2680-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2680-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2876-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2876-29-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/2876-47-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-58-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download
memory/2952-57-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2952-56-0x00000000077D0000-0x0000000007862000-memory.dmp

Filesize
584KB

Download
memory/2952-55-0x0000000007CE0000-0x0000000008284000-memory.dmp

Filesize
5.6MB

Download
memory/2952-54-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2952-65-0x0000000007A20000-0x0000000007A32000-memory.dmp

Filesize
72KB

Download
memory/2952-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-64-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

Filesize
1.0MB

Download
memory/2952-235-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2952-63-0x00000000088B0000-0x0000000008EC8000-memory.dmp

Filesize
6.1MB

Download
memory/2952-68-0x0000000007C00000-0x0000000007C4C000-memory.dmp

Filesize
304KB

Download
memory/2952-66-0x0000000007A80000-0x0000000007ABC000-memory.dmp

Filesize
240KB

Download
memory/2952-250-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3092-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-48-0x00000000034A0000-0x00000000034B6000-memory.dmp

Filesize
88KB

Download