mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
Size

1.1MB
MD5

8dac299e092f27165c51ef8f3dbb4abc
SHA1

e9766391e0d24fda435682e27203453100dd66d0
SHA256

cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256
SHA512

f8f780c9852570d62eba8ee2c1578cb76dadfcdafb4dde3384913ce84b8d27f3b02af39891e629ca8812b328c8f8a657e9466ba3dbdad4f124f873ba45f85925
SSDEEP

24576:UyxHA1Gjwbjz572eC77204/eYoTVoeLZlYzLU:jxg1LZ74m0xPL7Yf

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral18/memory/3840-32-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/3840-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/3840-33-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral18/memory/5092-43-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5CP5Aq1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	5CP5Aq1.exe

Executes dropped EXE 8 IoCs

Processes:

Bv5lV87.exeyv1qe83.exeRC8wh38.exe1TC15Dq1.exe2fc6555.exe3Uh01lj.exe4mp841px.exe5CP5Aq1.exe

pid process

3184 Bv5lV87.exe
552 yv1qe83.exe
1172 RC8wh38.exe
4956 1TC15Dq1.exe
4288 2fc6555.exe
4796 3Uh01lj.exe
2376 4mp841px.exe
3752 5CP5Aq1.exe

pid	process
3184	Bv5lV87.exe
552	yv1qe83.exe
1172	RC8wh38.exe
4956	1TC15Dq1.exe
4288	2fc6555.exe
4796	3Uh01lj.exe
2376	4mp841px.exe
3752	5CP5Aq1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RC8wh38.execca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exeBv5lV87.exeyv1qe83.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RC8wh38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bv5lV87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yv1qe83.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1TC15Dq1.exe2fc6555.exe3Uh01lj.exe4mp841px.exe

description	pid	process	target process
PID 4956 set thread context of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4288 set thread context of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4796 set thread context of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 2376 set thread context of 5092	2376	4mp841px.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2236	4956	WerFault.exe	1TC15Dq1.exe
2968	4288	WerFault.exe	2fc6555.exe
1388	4796	WerFault.exe	3Uh01lj.exe
4068	2376	WerFault.exe	4mp841px.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

AppLaunch.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1924	AppLaunch.exe
1924	AppLaunch.exe
3032	msedge.exe
3032	msedge.exe
1048	msedge.exe
1048	msedge.exe
4040	msedge.exe
4040	msedge.exe
4956	identity_helper.exe
4956	identity_helper.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
4040 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1924 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1924	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exeBv5lV87.exeyv1qe83.exeRC8wh38.exe1TC15Dq1.exe2fc6555.exe3Uh01lj.exe4mp841px.exe5CP5Aq1.exe

description	pid	process	target process
PID 4964 wrote to memory of 3184	4964	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe	Bv5lV87.exe
PID 4964 wrote to memory of 3184	4964	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe	Bv5lV87.exe
PID 4964 wrote to memory of 3184	4964	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe	Bv5lV87.exe
PID 3184 wrote to memory of 552	3184	Bv5lV87.exe	yv1qe83.exe
PID 3184 wrote to memory of 552	3184	Bv5lV87.exe	yv1qe83.exe
PID 3184 wrote to memory of 552	3184	Bv5lV87.exe	yv1qe83.exe
PID 552 wrote to memory of 1172	552	yv1qe83.exe	RC8wh38.exe
PID 552 wrote to memory of 1172	552	yv1qe83.exe	RC8wh38.exe
PID 552 wrote to memory of 1172	552	yv1qe83.exe	RC8wh38.exe
PID 1172 wrote to memory of 4956	1172	RC8wh38.exe	1TC15Dq1.exe
PID 1172 wrote to memory of 4956	1172	RC8wh38.exe	1TC15Dq1.exe
PID 1172 wrote to memory of 4956	1172	RC8wh38.exe	1TC15Dq1.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 4956 wrote to memory of 1924	4956	1TC15Dq1.exe	AppLaunch.exe
PID 1172 wrote to memory of 4288	1172	RC8wh38.exe	2fc6555.exe
PID 1172 wrote to memory of 4288	1172	RC8wh38.exe	2fc6555.exe
PID 1172 wrote to memory of 4288	1172	RC8wh38.exe	2fc6555.exe
PID 4288 wrote to memory of 3896	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3896	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3896	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 4288 wrote to memory of 3840	4288	2fc6555.exe	AppLaunch.exe
PID 552 wrote to memory of 4796	552	yv1qe83.exe	3Uh01lj.exe
PID 552 wrote to memory of 4796	552	yv1qe83.exe	3Uh01lj.exe
PID 552 wrote to memory of 4796	552	yv1qe83.exe	3Uh01lj.exe
PID 4796 wrote to memory of 5044	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 5044	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 5044	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 4796 wrote to memory of 2720	4796	3Uh01lj.exe	AppLaunch.exe
PID 3184 wrote to memory of 2376	3184	Bv5lV87.exe	4mp841px.exe
PID 3184 wrote to memory of 2376	3184	Bv5lV87.exe	4mp841px.exe
PID 3184 wrote to memory of 2376	3184	Bv5lV87.exe	4mp841px.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 2376 wrote to memory of 5092	2376	4mp841px.exe	AppLaunch.exe
PID 4964 wrote to memory of 3752	4964	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe	5CP5Aq1.exe
PID 4964 wrote to memory of 3752	4964	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe	5CP5Aq1.exe
PID 4964 wrote to memory of 3752	4964	cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe	5CP5Aq1.exe
PID 3752 wrote to memory of 3988	3752	5CP5Aq1.exe	cmd.exe
PID 3752 wrote to memory of 3988	3752	5CP5Aq1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
"C:\Users\Admin\AppData\Local\Temp\cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bv5lV87.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bv5lV87.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yv1qe83.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yv1qe83.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC8wh38.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC8wh38.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1TC15Dq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1TC15Dq1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 580
6⤵
- Program crash
PID:2236

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fc6555.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fc6555.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 588
6⤵
- Program crash
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uh01lj.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uh01lj.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Checks SCSI registry key(s)
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 572
5⤵
- Program crash
PID:1388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4mp841px.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4mp841px.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 620
4⤵
- Program crash
PID:4068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CP5Aq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CP5Aq1.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5227.tmp\5228.tmp\5229.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CP5Aq1.exe"
3⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa745a46f8,0x7ffa745a4708,0x7ffa745a4718
5⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
5⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
5⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
5⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
5⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
5⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
5⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
5⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
5⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
5⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
5⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,6529191600309501459,5574973314854834433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5244 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa745a46f8,0x7ffa745a4708,0x7ffa745a4718
5⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,16348885727473948512,1735272562212760139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
5⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,16348885727473948512,1735272562212760139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4956 -ip 4956
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4288 -ip 4288
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4796 -ip 4796
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2376 -ip 2376
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\579d9f98-36ca-4c6f-b48e-f2aa3f32a6a4.tmp

Filesize
11KB

MD5
ddb4cb36cb8a40bacf1949de02405910

SHA1
8b5ae926ae7d2c0de62693d613aaf23f76a44d5e

SHA256
30fce64231ce8e25ab74b7fa3a3ace5453323ff3b3d21dd009033d7705ddbbf2

SHA512
160734d1e55266f4f0892ccae40962838eb45a1bfa54c6f91e4cbba6e5cec78b7c79909666abff403dc3ff227fb18331e26724c1dfd18c7c968d15c4031b57b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d57167fe9038789cc4ae87178c61094b

SHA1
4ca39acf7182ebde773dd5b041a1cb84f0397c95

SHA256
02fd4d0bbf2649a6e38aaa3ae938e272930983f6cb88416abdab66bd3f3f9d3e

SHA512
6b81a001aa37b9c69584caa070469b8f5c696e3c1a39123f6f7e59e66d7eabad57137ae13ec10f3705febb9f3ef5922de8304ba85bf2bfb64e69fc57081b3f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
183920a7c02ba14d26c7d1dd36c14769

SHA1
1ba25cefed8d7219e080f58e2bb24381d991c2cc

SHA256
16b62ea5d2ee4519a512a2f8cb0fb7457a51d1eb648919426014968001c52feb

SHA512
1a03599c2b846772ce1c1a39fa4f270c80239b243139fd5f99b745ab54b36cc5516037f247146286ff0bbdb0d6b087fc220bfc4a4b4465c25606c3ecfd05d71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
71db6af9bf37ae2d31312ddeae184fd9

SHA1
4ca31f90055cbd474feaf89015cce625ea4af5a6

SHA256
5d3dea797a26d3fd482a8ebe287117c64bcfa94525fda93b2216146d3904b7c5

SHA512
f2c6aa97c0406a40604c99f582b06d86fb75a08a4f7cbe0f651936564fc267e41a42c08ac38a07848b63284b7b5c21ab3e9e5222e2edd2d90dcd67307cfaed37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
96bb4a8a52625115961367091f10819a

SHA1
8f81eff9fa2d0648cd35b22ee33da5f5e9dec896

SHA256
896aac834cc91995503d5857727f883d02d3a881fcbeadc43835bff5e1ced2d2

SHA512
667650dbc8301e6d76c5cf080ffde374e4b5cc34614265e731333d480d2ac38d4c8088fb17e15c8da022b6ec2065f1594ed1544dbf40fb15a3cac7157ea4f5a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e244afbf34d3cfef985a3391997ef54d

SHA1
acf894a39d92574bf22dfe164c2ac5263e6d96e0

SHA256
013460e0b018912a4300e28dcc93193fa128df06f2c2fe681d7b47eec2f474a8

SHA512
09e7f67c24a310a2a773825d9331e78212d8f056a0e889de69205009e91d59672ee5f2ececad3a3a65bf963a78d11a5932729873ac44c02ea2883cbac5544b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
6aefb44d52a7687da00e139efd9aa4c7

SHA1
1d24bea8361499a83541938636b275c4659afb09

SHA256
152ff3e3730c43886ebdc94b7e6ac647a9b30ba928f4b0ed910f0b41908afbf9

SHA512
a71bb355c1a88086ebe30fb606c9ada62a56cb560e32704fe745fad3acb137ce485cf7bdde335051b6038519aa3d204833c918b7a00edc425b7c8359e69904c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c786bd33c2e0f5b8fd52805331d20d6b

SHA1
5328510aaa2a4d784363f2477889d9f55818efd9

SHA256
119c289db1f4805cfe57c5987e29c0ff2ceb3a1f5e0bde9e65821e856ae48dfd

SHA512
5cfb6403d094e050add268125d982d0fc3c79c1dcc8c332ea17b9ca9fd041fdbc2aa224150209c1cb039d9ba66c9482de593e0d4a289a3f6abb4b9bf6d556ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
63877afcc6510d62a95f418d0ae9f4c5

SHA1
46e8edf72e29a77b06cc7a12ee13ad2dc8579198

SHA256
c4f176ed5194b6508587e89119c33f3ec699402eab1810fb5cdabec47707ec98

SHA512
4ff3c307f6617d22ee48819b85ced7f578f8e4bc0f5e3214eef9c128b17858cfea7c0def8f9f5eedbdb1c561594f53eb36816be78f7c6fb70076b3b1a8424df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
6b53a59521aa098e4740e18c2f6b3e28

SHA1
460cfb865fcf02538fe0f310675fe18ab1eff1d2

SHA256
30a535f6be3832992f0f9f0ce46eedb87a50876a68cc84855d8f6cf66d75f4d1

SHA512
bf610511672c1709ba1e5b87d6b68a0d80ed4fa7ad2ab1fe99df4f9abac6417d7964e70c006105e0aa37d9c7459bacba360580fc75acdb847e4bfc84b4676bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bd74.TMP

Filesize
872B

MD5
1fac71878bbf48d0b1fd836d52118ec7

SHA1
3935291aee758058f913d3d8729c08ea752f2a27

SHA256
76c1b5244a8315f9d07712c2393087dfe84861d7266e3bfed765b2f5ffb73664

SHA512
a4ade5ab2fefe6f97004c0b7c49be7f05b500a1959499edee476f4ace2bc46a2079e43df531bb6629bd62b7f41d0988b0bba5cd76003a3c1a7d36fd48a335daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8eac0f68d9019d24db392835e94175d8

SHA1
ef8c60db36f6a59f663070dfe78f99772abdf733

SHA256
d0a964fec884b5157b4ee29f78f961d3b500a3b378c5ed4d48b69a1d51be7e9a

SHA512
c70e3a6a31549317949d3d5d790bb46f9e5ccdf5feb46deef2272a5cf724935ac8f311f1a11e9f6e8f276c0492f270d6c18c023e8f88a52e04f5c6b96cd38bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5227.tmp\5228.tmp\5229.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5CP5Aq1.exe

Filesize
97KB

MD5
0f6a016e3d9c9cd9ebf45ee997b956bc

SHA1
53ec7e568c61a1c0005adc92cbddbb8898791072

SHA256
ce0454ba43f8ba1057fa0565d24cd737174387c69a128c31af3330d9dcd67785

SHA512
831013484dd49d9a5a15ff75ae4f80bae824647b011c66aa12219eeac882aad723f3dfed2afa4bccf20e1e9c502f86b80bcf846472ddb3d0f8bb119d2cc6f216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bv5lV87.exe

Filesize
958KB

MD5
7fed10d689af1f44b220d6d6199304a9

SHA1
ed09c8b0ed6023347e1154e41edc0c5cee31de05

SHA256
49a4341660a750b4d6c1fd7fec0fd0410d84704eea255015feeca5419f61153a

SHA512
7d5c3233688522738ae604161b561890360e8aaa0605df7a1ae24eb6fceae6a74435c78cc48f34e7038266ea95e38b7b39120e3dcb09623c7256f9446049fe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4mp841px.exe

Filesize
485KB

MD5
dfc19920c64bdd28505b4e88a1608cea

SHA1
794bb5858bb8c1f4f8ce8664519ababa95828c3c

SHA256
886f947c2be553bdfbeb2008882d49ed900abee6f7d030acbfb6e7ad64945eb4

SHA512
2a8782348834b4217b41f7d7e4a92dc0ce0f866ed98140a75eeddc28f93cf6028b8d2b6a7d96146a768b7ff59b2fa4a2015b4cd8810cfd33168b246cbbe07b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yv1qe83.exe

Filesize
658KB

MD5
ad939b8728fc213d200175a5861985d7

SHA1
32a7adeacee2eb8417a3c5aee3046ebc479d902d

SHA256
eeacb2b27e5dcf252077d53ae54ffafde072e26a9f1cdba5f5b655179af73c9a

SHA512
924e4052a21e5c8268dc8a3964fe6bf36e2546c412fcb70383029f0f196c7df7719c25e3d30d57f5ef61192fbe50a5e3a7e7aaef6d9515757ab6ba8449898c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Uh01lj.exe

Filesize
297KB

MD5
68cbb1bac87a574eddc1cc9a3cbd01b1

SHA1
5fc0ca4e2aa9e7cac1e26eb22607e3472cf3ef59

SHA256
6b90caf1c87d30d3338b8c02582a90abc5ade1a2381eef20cfd32ab28216d622

SHA512
52acd908568625d1e3f9cb62518cf7e6e4a19d1efb291a98d997fbc396dc9e952f921a608c6e3dcdb5ace16e1390cefe45cdd93f29d1581696042dc1a98e1828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RC8wh38.exe

Filesize
405KB

MD5
53012f0aafb8604ccf4924c80d1b272e

SHA1
dd37f7f352192c7fb694069eab0bdf402adf4379

SHA256
abdb564311bfc665065c68a929de8fa971e2d06e3dd5659e31f31a86faec5181

SHA512
35519d3ed2cd09782f54070e773925f1f9d5955406ec1db012e1609cba73f65975beefcb59618a132f988c454d8976b2f87a728cc83aaf5df383e38ca8ecf2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1TC15Dq1.exe

Filesize
276KB

MD5
85e75c783597e95385ca01c2f636d71c

SHA1
b26148bb6179d78c19db219727180122e3e1bf3a

SHA256
86ee1ed5cd80b4bd1091a08d83ddf8186ea582e209592d61ffb5958c101ccd7d

SHA512
31a06f4f57647cfdfea4b22c6d82360794b059f4d4968c458264ee081d83bbac3cb810eb7c58a0a9e39e17b64319749e235e42e82ec97b2c669b415d38be712d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fc6555.exe

Filesize
447KB

MD5
de5ce1a01f7a7961cde4f357a9d4a1ec

SHA1
cadda4586eb5fda5500c3ba63e2dbc535f9abc82

SHA256
73f904519e5daa3f39aba16f09342667c8b5baeb07004a4d8863cd00ec1138c0

SHA512
ad870aef26422ca2b33b57fc5e04b762f94b07867d5e7c8758741ac5fa607298abb3b0c1f5e4f24d7bb12951b618a8d175bfe114c8379dd8c344ef4b409349ae

Download Submit
\??\pipe\LOCAL\crashpad_4040_LKSIZSWOPPWXVUPK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1924-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2720-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3840-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-56-0x00000000078D0000-0x000000000791C000-memory.dmp

Filesize
304KB

Download
memory/5092-55-0x0000000007890000-0x00000000078CC000-memory.dmp

Filesize
240KB

Download
memory/5092-54-0x0000000007830000-0x0000000007842000-memory.dmp

Filesize
72KB

Download
memory/5092-53-0x0000000007960000-0x0000000007A6A000-memory.dmp

Filesize
1.0MB

Download
memory/5092-51-0x0000000008690000-0x0000000008CA8000-memory.dmp

Filesize
6.1MB

Download
memory/5092-49-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download
memory/5092-45-0x0000000007600000-0x0000000007692000-memory.dmp

Filesize
584KB

Download
memory/5092-44-0x0000000007AC0000-0x0000000008064000-memory.dmp

Filesize
5.6MB

Download
memory/5092-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download