mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe
Size

1.8MB
MD5

ae40dabebed6d3bb557de110ec0c6c54
SHA1

d67d82f55b82f90fe157f17f7978697376aa2934
SHA256

8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2
SHA512

77a03e86e2235d01319d484c271cad80cae6028d27af25c2158e22c93c23692a8456bad7ef20dd8e1d65f5c77314ab24c3d378a68c618692f96f8c5509ee13c7
SSDEEP

49152:9tH2hfpwhXRnvMM3eWH07UnnhnXn3kDQ:725pS9t9Ki0c

Score

10^/10

mystic redline smokeloader frant backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral10/memory/1048-66-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral10/memory/1048-69-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral10/memory/1048-67-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral10/memory/2244-77-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 8 IoCs

pid	Process
4368	hM2Gp70.exe
2752	cQ8Vb73.exe
4804	UI2Dk24.exe
3928	1yy47mm5.exe
2692	2Bz5997.exe
2748	3cx16Qg.exe
1344	4Ni921FO.exe
1168	5yw6Gj5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hM2Gp70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cQ8Vb73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	UI2Dk24.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 1888	3928	1yy47mm5.exe	88
PID 2692 set thread context of 1048	2692	2Bz5997.exe	95
PID 2748 set thread context of 1468	2748	3cx16Qg.exe	99
PID 1344 set thread context of 2244	1344	4Ni921FO.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4924	3928	WerFault.exe	86
2676	2692	WerFault.exe	94
1456	2748	WerFault.exe	98
4468	1344	WerFault.exe	102

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1888	AppLaunch.exe
1888	AppLaunch.exe
3612	msedge.exe
3612	msedge.exe
3184	msedge.exe
3184	msedge.exe
2392	msedge.exe
2392	msedge.exe
616	identity_helper.exe
616	identity_helper.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe
2392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 4368	2792	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe	83
PID 2792 wrote to memory of 4368	2792	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe	83
PID 2792 wrote to memory of 4368	2792	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe	83
PID 4368 wrote to memory of 2752	4368	hM2Gp70.exe	84
PID 4368 wrote to memory of 2752	4368	hM2Gp70.exe	84
PID 4368 wrote to memory of 2752	4368	hM2Gp70.exe	84
PID 2752 wrote to memory of 4804	2752	cQ8Vb73.exe	85
PID 2752 wrote to memory of 4804	2752	cQ8Vb73.exe	85
PID 2752 wrote to memory of 4804	2752	cQ8Vb73.exe	85
PID 4804 wrote to memory of 3928	4804	UI2Dk24.exe	86
PID 4804 wrote to memory of 3928	4804	UI2Dk24.exe	86
PID 4804 wrote to memory of 3928	4804	UI2Dk24.exe	86
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 3928 wrote to memory of 1888	3928	1yy47mm5.exe	88
PID 4804 wrote to memory of 2692	4804	UI2Dk24.exe	94
PID 4804 wrote to memory of 2692	4804	UI2Dk24.exe	94
PID 4804 wrote to memory of 2692	4804	UI2Dk24.exe	94
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2692 wrote to memory of 1048	2692	2Bz5997.exe	95
PID 2752 wrote to memory of 2748	2752	cQ8Vb73.exe	98
PID 2752 wrote to memory of 2748	2752	cQ8Vb73.exe	98
PID 2752 wrote to memory of 2748	2752	cQ8Vb73.exe	98
PID 2748 wrote to memory of 1468	2748	3cx16Qg.exe	99
PID 2748 wrote to memory of 1468	2748	3cx16Qg.exe	99
PID 2748 wrote to memory of 1468	2748	3cx16Qg.exe	99
PID 2748 wrote to memory of 1468	2748	3cx16Qg.exe	99
PID 2748 wrote to memory of 1468	2748	3cx16Qg.exe	99
PID 2748 wrote to memory of 1468	2748	3cx16Qg.exe	99
PID 4368 wrote to memory of 1344	4368	hM2Gp70.exe	102
PID 4368 wrote to memory of 1344	4368	hM2Gp70.exe	102
PID 4368 wrote to memory of 1344	4368	hM2Gp70.exe	102
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 1344 wrote to memory of 2244	1344	4Ni921FO.exe	103
PID 2792 wrote to memory of 1168	2792	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe	106
PID 2792 wrote to memory of 1168	2792	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe	106
PID 2792 wrote to memory of 1168	2792	8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe	106
PID 1168 wrote to memory of 3104	1168	5yw6Gj5.exe	108
PID 1168 wrote to memory of 3104	1168	5yw6Gj5.exe	108
PID 3104 wrote to memory of 1316	3104	cmd.exe	111
PID 3104 wrote to memory of 1316	3104	cmd.exe	111
PID 3104 wrote to memory of 2392	3104	cmd.exe	113
PID 3104 wrote to memory of 2392	3104	cmd.exe	113
PID 1316 wrote to memory of 4700	1316	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe
"C:\Users\Admin\AppData\Local\Temp\8155bd24d116c57eab78ae836bd626ad73ea195b6cd88928129bb6fd1f3a80a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hM2Gp70.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hM2Gp70.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cQ8Vb73.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cQ8Vb73.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UI2Dk24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UI2Dk24.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yy47mm5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yy47mm5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 572
        6⤵
        Program crash
        
        PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bz5997.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bz5997.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 572
        6⤵
        Program crash
        
        PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3cx16Qg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3cx16Qg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        
        PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 572
        5⤵
        Program crash
        
        PID:1456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ni921FO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ni921FO.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 600
      4⤵
      Program crash
      PID:4468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yw6Gj5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yw6Gj5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\60EC.tmp\60ED.tmp\60FE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yw6Gj5.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb546046f8,0x7ffb54604708,0x7ffb54604718
        5⤵
        
        PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10069531830470539942,14436189465280839325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:3680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10069531830470539942,14436189465280839325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb546046f8,0x7ffb54604708,0x7ffb54604718
        5⤵
        
        PID:4688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        5⤵
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
        5⤵
        
        PID:452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        
        PID:1148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        5⤵
        
        PID:2260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
        5⤵
        
        PID:536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
        5⤵
        
        PID:3280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
        5⤵
        
        PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        5⤵
        
        PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
        5⤵
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
        5⤵
        
        PID:5396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9344524608712239223,4178107688950837796,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3928 -ip 3928
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2692 -ip 2692
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2748 -ip 2748
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1344 -ip 1344
1⤵
PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
84ab6eaa6017ea982a9939a9a039d312

SHA1
91897360c2b49b9bd1c1291a5fc4367281926cb9

SHA256
ef170254a977531cf5e80c2624a709fc00dd54ce15989900c64b630aa2b3de6c

SHA512
dd4073d1829968aa1845e2fa83210b8576a1cb2a87a94ecafc5f6cece8935b19401dff256e321d2279dfc318582611d69130485e90769d93b7c505b3e0a21108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6c7add4f4f65f224bf66359bce1539e0

SHA1
c3e0428599b89c8e4ff08103d587d3ae422017a8

SHA256
199bc820aacf4246b7289619d600340f049f7d1791f9b3d34a1127f3a879a14d

SHA512
b70f27f546c825bd0c9caf892486d5e886f170daf386ae18ef8d852642bb39ad0b70bf8db3c58dc2976ebdb8257cedcb4c73a98508a644e0490dd27456d983b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
43a98c30ef86a444a2c8164e7ed4a6c3

SHA1
48cec9e6c6b5fe1f55ab3926407df565c439e818

SHA256
63964e4c189e6badec2382a09bb00ebc0ac4f3f8c3e4a7c0a05f2c4ab3818d92

SHA512
cbf418751bee0f49ee277c7b7ad2562d4a55d7aa12bc08dd9501f98423b6c5ba2b2194fe280b16c960680b0bccc76e701404c32edf06f4746c9e808cb7672b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4dea4d60e97d207ec208896481a278d5

SHA1
8257ffffea026a929bda64b7a4a8949c95502dc0

SHA256
408c834eac638e1886453523b586bc462c5b2c0b1f20966edcde040dba3cdfc6

SHA512
1e3ece8cd32f4b46c6fc6a083a1a136633bb9ade0c0ff52ec05ff66aeab819f913c1b6970cd0551ab97bd18d7a8e0df112600836fb84397b593af424f4b5c968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02a8413670a1116902f335f529b95f48

SHA1
bbf110c6d8881e063839958c221ac8b4958b1c69

SHA256
3c8cc2c61e3f1210c04613358b32cd7604c466df4b820a4382d997db5842dfda

SHA512
5dd17af046f4307a99e9791ed268f575a8a76e3d49483f8b6d0c0a4284cefc7851f518a78edd6b3c2209dd4a3954165ae124e61a7e26dd745cbf1cfd2c087f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
99f73df8eb4fbc42f207b3afe20e169a

SHA1
da2320c388fa079bef61513b74924dab77fd2a15

SHA256
8d32465252157347e880ced39e25f644f63eb60c8be6ee5c9cd63ab1c82a256b

SHA512
b179a4225a2399b1c7261f054c8873d95ba9911663aafa45ed0f3e14deb267bcb11edaa37471a3a1883d8f1705feed1582ac2bc4474a5647dd5f935d330cd0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b88c8d058f0933d015ee463bc1e58c93

SHA1
5742475ad2141c1f6fe68026ad1dc5bb88b3d2d6

SHA256
2b9f0e9df6ff7ea184323c53753663fecc1737bcfe34a3539115f9e898c2c8fc

SHA512
7f17836397a39b39975f96c9613b4f7072f995024e174e848ca2f912451ee14782719a6ac2e8ec5d3a5e6cb0e29d9ed8c6872b39977fa1fd3fa1c0a385b159ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b58bc86af9226cad7c7fedce072fcfb4

SHA1
e1473baa1634108609d8a1de2e79ffe6577721ff

SHA256
33e426ca1cf5a15abedab7108150edd925eae8a707acad5db08ae2ccc9e7d0db

SHA512
ead7e7895f704c51589f3f34cde6598869d62ef295cf9277beedd3e16cae99312c91a965f078ad4b3cd1536760057b1ae3937dbaec6103761adc68ddfaa13f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b7f6.TMP

Filesize
872B

MD5
c023ff6ed440289e3c6db07715c357e9

SHA1
d910cda3a7f91adcfa8f166d701bd57308de5f6b

SHA256
34f78723947cb17274e44d11e16e733e236efd624441461951e788399022c97e

SHA512
06c44263fa69c8168549e67cfea28472a3b6da1ae00dca850d39dc3a26deab0c2690885da8d8af532c6ba1ea91d0deef3686b76d83b5a1bf941c9850e14e5a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e2d4a7dc883a0c99ea774c0ec4c08f72

SHA1
c0dcc21eecea4ec358f82b21e0f1523c96965a35

SHA256
14fbbafdb056936751197f5cab2b753a0ae4010edba649949fec26bbfc02cda6

SHA512
7be14cb568dfd36353c57d3726db8c038eebda33c35837b2c77fb1090c309ed8f7e348515a0d1df346e101261e580f8c87e5cccc2abe5b5678a7a99665e025b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1cc2b9299050169823bcc5f86bde04ab

SHA1
d0ed45cff867ebe8305555122f143564f9388a93

SHA256
0e82ecdcc69aa1fd7a5a66073db45aa92ee4ef71935d58146fa53044eed9d2cf

SHA512
5b51e0f91c836df7ef6a807faf9e61b66972459430b023c7f788bc2b9333bf5be39d680e9b4eb3af34edb6206183df0ae256463f175079f6f9333b5464cede91

Download Submit
C:\Users\Admin\AppData\Local\Temp\60EC.tmp\60ED.tmp\60FE.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yw6Gj5.exe

Filesize
100KB

MD5
62e44c3d61c5679b92ce6d692db14ad5

SHA1
62300561bfaad5bdb9892ca2a6a065b31871998a

SHA256
e96ea38001e4cf8376091077535da62d5023273c14e1b76d30cdec7798c1add1

SHA512
802454aa460d004bd65ab2bc75720293085c0e3671db8ace4615d13822d9cdf1f1f8784702a01fa8d22b3c333867f7a33af30359fdd352071550eeea6bc5e386

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hM2Gp70.exe

Filesize
1.7MB

MD5
81dee6b91ef98598368990572fc0d1e0

SHA1
793bf6158ed8666d7ffcf51a46554f9d8389de1f

SHA256
e4df21ced255732439089194c811728715fa68a7ba2ac0923c78671bc3c6829a

SHA512
9b181fba5292a40602cb68b2598e332c942c796458f7cb2f694679277d3e6ccf87edffed7bb9b528ca5c0475ec16d9699c7aed08595521532e47fd0c10c06f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ni921FO.exe

Filesize
1.8MB

MD5
cfbb3be155b12d0cc69e3d932fbb81eb

SHA1
fb5ed48a80131043c4dd2e4ac69b4b38578f9753

SHA256
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2

SHA512
38aadedee5bd57c7f475e96d74abbb0e671bca462c2c700b7a034e2d1513bd8aebc30b7b75bf1e8cd7b7e3a831e69d5dd0ceaee3d18ed296a2cb3d1b051164cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cQ8Vb73.exe

Filesize
1.2MB

MD5
29a437db993b0c1bc78c4280a4e62f98

SHA1
a62b8815fc32b4b1cda4af0679890dce83337ba7

SHA256
d8ea62725f28783da816d46dbf88c7b0a783657021a94afc7ae1690d272f04f5

SHA512
c0e9d8d46618161a49b7fe83fec997e08bafe081a1c07ba11c2335964c22dce3dcf91c1f345243f0512bc3822fb19aee95d076350e76dcf76bcdd535efa5d77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3cx16Qg.exe

Filesize
1.6MB

MD5
7d377f5e1ba6597ff2cfe4f92639367d

SHA1
188ab803c9926ff3448c458030f418099ea03407

SHA256
c705efd2888dfbede96714b58aede50a28b3da45aba83a909cb104ce34dc735e

SHA512
2adad69f3a358ad955b00c8d7826c396feef9d583407d4c7d53ce3e16ed760f148f553f49df5bbcd6c5c68b87bcf7e1472d3c789946b23dab7ae94b4036540e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UI2Dk24.exe

Filesize
725KB

MD5
1e163fb25f91a70bcf657b169739a8ac

SHA1
7f8008f1ab24e3e8127b8da414de5acd84f39bb7

SHA256
93796dde7bb0507f959fcdfd36abae0f2ae69a459da9de3dd936ef71ce5eed68

SHA512
ed375458e9a389bff76f33f813f835787c6e0a0d97624721bb57c52f8a9d9e7fa35819a7025a736151df25bf3b28f597650dcf260dab4a7e6a365c4a9a5304c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yy47mm5.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bz5997.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
memory/1048-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1048-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1048-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1468-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1888-44-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-33-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/1888-38-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-40-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1888-36-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1888-42-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1888-48-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-32-0x0000000002D70000-0x0000000002D8E000-memory.dmp

Filesize
120KB

Download
memory/1888-35-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-34-0x0000000002EF0000-0x0000000002F0C000-memory.dmp

Filesize
112KB

Download
memory/1888-46-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-50-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-52-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-54-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-56-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-59-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-60-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1888-62-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/2244-78-0x0000000007A40000-0x0000000007AD2000-memory.dmp

Filesize
584KB

Download
memory/2244-89-0x0000000007E20000-0x0000000007E6C000-memory.dmp

Filesize
304KB

Download
memory/2244-88-0x0000000007C90000-0x0000000007CCC000-memory.dmp

Filesize
240KB

Download
memory/2244-87-0x0000000007C30000-0x0000000007C42000-memory.dmp

Filesize
72KB

Download
memory/2244-86-0x0000000007D10000-0x0000000007E1A000-memory.dmp

Filesize
1.0MB

Download
memory/2244-85-0x0000000008B20000-0x0000000009138000-memory.dmp

Filesize
6.1MB

Download
memory/2244-79-0x0000000001560000-0x000000000156A000-memory.dmp

Filesize
40KB

Download
memory/2244-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download