mystic | ce9955c91d6a5f9e211ecb80cc51d8025eccfe4e1398947c094c94a6e2904f18

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe
Size

1.1MB
MD5

a0993b295f22b979045e9e5619184ea3
SHA1

7197bf0e4d125a3c1c45d39ae75dac7632557213
SHA256

0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5
SHA512

7944f2b0747af7dae01b8a3d7e58f30b784ba74225d0b03f6924a9c03fbb89e9a15a9e663831850e9373c8be56254513a6f2481710ba1b9642e92bd650e23ee3
SSDEEP

24576:UyiTdNkP+nx9l8jOuBMlDjy2YZpoDhR6sacCMyXaOvpsg8/j:jiTLk2B8jOuBMlyTpea/vXp1Y

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4600-32-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4600-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4600-33-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2128-43-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

5TR3zQ5.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 5TR3zQ5.exe
Executes dropped EXE 8 IoCs

Processes:

Ui3Tb99.exeZp5Qh23.exeaZ9fy75.exe1LV10RC2.exe2xV5613.exe3oN74eX.exe4lH972kJ.exe5TR3zQ5.exe

pid process

1260 Ui3Tb99.exe
1216 Zp5Qh23.exe
3968 aZ9fy75.exe
3624 1LV10RC2.exe
4848 2xV5613.exe
2836 3oN74eX.exe
4440 4lH972kJ.exe
2800 5TR3zQ5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	5TR3zQ5.exe

pid	process
1260	Ui3Tb99.exe
1216	Zp5Qh23.exe
3968	aZ9fy75.exe
3624	1LV10RC2.exe
4848	2xV5613.exe
2836	3oN74eX.exe
4440	4lH972kJ.exe
2800	5TR3zQ5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exeUi3Tb99.exeZp5Qh23.exeaZ9fy75.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ui3Tb99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zp5Qh23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	aZ9fy75.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1LV10RC2.exe2xV5613.exe3oN74eX.exe4lH972kJ.exe

description	pid	process	target process
PID 3624 set thread context of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 4848 set thread context of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 2836 set thread context of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 4440 set thread context of 2128	4440	4lH972kJ.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4916	3624	WerFault.exe	1LV10RC2.exe
4876	4848	WerFault.exe	2xV5613.exe
4540	2836	WerFault.exe	3oN74eX.exe
3800	4440	WerFault.exe	4lH972kJ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

AppLaunch.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1788	AppLaunch.exe
1788	AppLaunch.exe
1788	AppLaunch.exe
388	msedge.exe
388	msedge.exe
408	msedge.exe
408	msedge.exe
5040	msedge.exe
5040	msedge.exe
3472	identity_helper.exe
3472	identity_helper.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5040 msedge.exe
5040 msedge.exe
5040 msedge.exe
5040 msedge.exe
5040 msedge.exe
5040 msedge.exe
5040 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1788 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1788	AppLaunch.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exeUi3Tb99.exeZp5Qh23.exeaZ9fy75.exe1LV10RC2.exe2xV5613.exe3oN74eX.exe4lH972kJ.exe5TR3zQ5.execmd.exe

description	pid	process	target process
PID 3572 wrote to memory of 1260	3572	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe	Ui3Tb99.exe
PID 3572 wrote to memory of 1260	3572	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe	Ui3Tb99.exe
PID 3572 wrote to memory of 1260	3572	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe	Ui3Tb99.exe
PID 1260 wrote to memory of 1216	1260	Ui3Tb99.exe	Zp5Qh23.exe
PID 1260 wrote to memory of 1216	1260	Ui3Tb99.exe	Zp5Qh23.exe
PID 1260 wrote to memory of 1216	1260	Ui3Tb99.exe	Zp5Qh23.exe
PID 1216 wrote to memory of 3968	1216	Zp5Qh23.exe	aZ9fy75.exe
PID 1216 wrote to memory of 3968	1216	Zp5Qh23.exe	aZ9fy75.exe
PID 1216 wrote to memory of 3968	1216	Zp5Qh23.exe	aZ9fy75.exe
PID 3968 wrote to memory of 3624	3968	aZ9fy75.exe	1LV10RC2.exe
PID 3968 wrote to memory of 3624	3968	aZ9fy75.exe	1LV10RC2.exe
PID 3968 wrote to memory of 3624	3968	aZ9fy75.exe	1LV10RC2.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3624 wrote to memory of 1788	3624	1LV10RC2.exe	AppLaunch.exe
PID 3968 wrote to memory of 4848	3968	aZ9fy75.exe	2xV5613.exe
PID 3968 wrote to memory of 4848	3968	aZ9fy75.exe	2xV5613.exe
PID 3968 wrote to memory of 4848	3968	aZ9fy75.exe	2xV5613.exe
PID 4848 wrote to memory of 1908	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 1908	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 1908	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 4848 wrote to memory of 4600	4848	2xV5613.exe	AppLaunch.exe
PID 1216 wrote to memory of 2836	1216	Zp5Qh23.exe	3oN74eX.exe
PID 1216 wrote to memory of 2836	1216	Zp5Qh23.exe	3oN74eX.exe
PID 1216 wrote to memory of 2836	1216	Zp5Qh23.exe	3oN74eX.exe
PID 2836 wrote to memory of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 2836 wrote to memory of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 2836 wrote to memory of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 2836 wrote to memory of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 2836 wrote to memory of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 2836 wrote to memory of 2488	2836	3oN74eX.exe	AppLaunch.exe
PID 1260 wrote to memory of 4440	1260	Ui3Tb99.exe	4lH972kJ.exe
PID 1260 wrote to memory of 4440	1260	Ui3Tb99.exe	4lH972kJ.exe
PID 1260 wrote to memory of 4440	1260	Ui3Tb99.exe	4lH972kJ.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 4440 wrote to memory of 2128	4440	4lH972kJ.exe	AppLaunch.exe
PID 3572 wrote to memory of 2800	3572	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe	5TR3zQ5.exe
PID 3572 wrote to memory of 2800	3572	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe	5TR3zQ5.exe
PID 3572 wrote to memory of 2800	3572	0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe	5TR3zQ5.exe
PID 2800 wrote to memory of 3960	2800	5TR3zQ5.exe	cmd.exe
PID 2800 wrote to memory of 3960	2800	5TR3zQ5.exe	cmd.exe
PID 3960 wrote to memory of 5040	3960	cmd.exe	msedge.exe
PID 3960 wrote to memory of 5040	3960	cmd.exe	msedge.exe
PID 3960 wrote to memory of 1772	3960	cmd.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe
"C:\Users\Admin\AppData\Local\Temp\0697314d1d15813c538133353196a25ddf09e9340585e2de0be061757a02bea5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ui3Tb99.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ui3Tb99.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zp5Qh23.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zp5Qh23.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aZ9fy75.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aZ9fy75.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LV10RC2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LV10RC2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 580
        6⤵
        Program crash
        
        PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xV5613.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xV5613.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 592
        6⤵
        Program crash
        
        PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oN74eX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oN74eX.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        
        PID:2488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 600
        5⤵
        Program crash
        
        PID:4540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lH972kJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lH972kJ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 572
      4⤵
      Program crash
      PID:3800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5TR3zQ5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5TR3zQ5.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\81B3.tmp\81B4.tmp\81B5.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5TR3zQ5.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x140,0x7fff830646f8,0x7fff83064708,0x7fff83064718
        5⤵
        
        PID:2124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
        5⤵
        
        PID:3760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
        5⤵
        
        PID:3212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        
        PID:2916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        5⤵
        
        PID:2260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
        5⤵
        
        PID:3924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
        5⤵
        
        PID:4996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
        5⤵
        
        PID:5020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
        5⤵
        
        PID:2880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
        5⤵
        
        PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17103187875975530247,15132308361528462888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:1772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff830646f8,0x7fff83064708,0x7fff83064718
        5⤵
        
        PID:4376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10665705175440417194,5829923941242977305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
        5⤵
        
        PID:3968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,10665705175440417194,5829923941242977305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3624 -ip 3624
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4848 -ip 4848
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2836 -ip 2836
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4440 -ip 4440
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5538bf20-d113-4974-a775-f3112ef4f93f.tmp

Filesize
8KB

MD5
a1c3747502048d00ffe9cd725898c999

SHA1
549d509ab6310b8de98fb7e31116f655d404dc3b

SHA256
e53895b4745621d1c55e1d56e4117ad8543aa60e938e4c7849cb956b10c8fe43

SHA512
f717468d99e27707525061c7bc584a78d58a6fc34325037bee22bf89e5af2bb2d9f21f3ed20b34005fd7472e7e4cdc615d356ba1385ccc48c60fc8fae0178211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
37f2aa7fe0064c38ff25ff72ae482f13

SHA1
eb469771b1bc7d34573ee7d4c9d58b300cb62d6a

SHA256
1beb71f7615b3070a2ab9b2ffe99cd7d61eb9a8000b72491c30bca09790ef3de

SHA512
60bbf52e9d1cd9e4fab53a1434606d520f8f3c566205bbddc59dc76a38adeb290f746ca02f92d10325a4b0edb13584fef4a2e829a081059a7aa2e6a10f91fcce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
48d3355dbb63384e3bd123afffedf86c

SHA1
a5ecb3e56b58695e47910968fa0084d7f1ebdf5b

SHA256
4e305cf0ccaf80d32502204904187207fa058d3b51e27d08acc5f249f8b6f70a

SHA512
71dae169b0ffd3c64dea78d794155453c06253b01da282b27fe91281caff1bdb569eaea4b5c0743b3497909c8450915747fae3830bda0ff6ff83a3bf80fcd1ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
928c63df8b2288a13d2d20907405b816

SHA1
9bd3e5e4e941084b172183ddc7393762266ebef7

SHA256
ca86e2d1e94b6e47095324bc69e181e16fb6d47fcbb2005ccbd4966f23a6bd69

SHA512
4198cd3227c3566ec3d18c1ebc17564b27668ba73d6aa306f4504df89b938ad566dc381cf47a1e1a37889f72ffe323f621d043b8ac0e03eb6f448269ae5585c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28f1ac321827c7c80be9e77347473ece

SHA1
34d83a4b1653b3fb1e682c8f454494525abfee95

SHA256
514d8a92edcee5082ac1b4458e76d067c2a75d667fe9de00bfd16f8c589ea574

SHA512
95424f41dfedebc7032ce795a84a96b9d91deb81c9178e895b1940b9e735e23effd5475a4a2f6708afcf038df0783459d60d61b67cc50d7cc40031bcf2f618a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f903598190f3ddfa37e7ab46fac7af4a

SHA1
dfa057c90af9b4b3e71117cc60e7e560f727aa18

SHA256
b63fb8cfcf894f933d7752deba5bcab7b55038d66b4383f551ed84372c985cdf

SHA512
5701af52cc7b28b4e83b0f34b05090a1cd4c77f2502a524caec34b7f4d1c0c72aa7b7bab0f58dfbcd9391f74f6c16c443f37c5609d3a087370844e27f592f8b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
3fc762307dfd3d9f90ad4738a26650bb

SHA1
a8a18786f99214e02be7fa37de5b007ed221b96f

SHA256
f710549f5787a2d83dcb0be02ed59fb6becfb9a095670d36540ca0450c11ffbe

SHA512
f4725c94d6f932fe8d9fefa241f19ad92768926ad2713f69d74a844a06ceb7082848c0c354974eebdd7f719472d41d5f60a2c37dd1d54a41f42616e4790c4f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c050f902d44f36e3e6058acb6a1de9ca

SHA1
adf07de378dacbe9de62c492e9f412cafd38610a

SHA256
eab02e0136299bfb8f3e6f77d5ba25978d5668c4bb20147e2b8ab2c945b4586c

SHA512
4441ce092a5a10ed4a8c01251a57ef0c4671867c43d5d60c48c618db2bb79e97f43c01f672b7701dc3a2ee2174a334fed5d89105792063fb5f9f2ac7b45dfa91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c469a9b27d9a011d483c3a7d2d112d3d

SHA1
965cf7f3bfbaeada2b06aa2f0bbe8d5319c09346

SHA256
d974b906b30427209790d5fb77a6ea9b6f103fefc042938a2327f1df7c64833d

SHA512
85451d8db7dfe29226aceef601f3f50a2b9adf4adf52b71b5abc42ddf7fa70a7bd153fb82cc5507b9c9bc827229255defcf28a5047fa0d49ec571ca898ff0867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d7d2.TMP

Filesize
872B

MD5
098fbef791fdead530399a3bc84cc009

SHA1
2ec274a51159c72dac7c919775f5550383a8ece1

SHA256
9c64d236ac60f3ccf12c43c5d7c6ee50c0e59ea8218bffde9a50d91cdf2596c6

SHA512
438e3dd0317cb2027badf6cc2610b86b50eafc55db40dc9249b5eb18a4555bf91647cf9c1b47662ba48280502eb17cbfa91b2c54a229f86cfb87ccfbdc3a93c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8beea9735fc5c23430d79119e34f0822

SHA1
a9d02b7160a77d37cd668769b6d2e523c5ea5619

SHA256
800ac552e0da181bd3354f4453646586c9180731013af434595ceab440432e5e

SHA512
ec9e5bffe67d4f8950a77e703ea8e3f6c32c2fc832784a4a55394827448a9ca8718891ac374e26a7815b23b991e00ab5cf22dd6210b998881050f198a369cd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B3.tmp\81B4.tmp\81B5.bat

Filesize
88B

MD5
0ec04fde104330459c151848382806e8

SHA1
3b0b78d467f2db035a03e378f7b3a3823fa3d156

SHA256
1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f

SHA512
8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5TR3zQ5.exe

Filesize
97KB

MD5
c9461e6c48360d2ce76881f63a8c49ee

SHA1
7c3287ea8a387263eed5de97958e3c9bb30718a8

SHA256
90d149398a8d467687dc69d5006b1456f68d991fda8688e423c926bbc2a81912

SHA512
f46581005a4650858c309b63ec181993dcd610df81f9c7d9a9c80bf95b4b24d168acac8c8976a4260ff023cf6cb181161cf24f479cbbae37ee2f1d4894a241ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ui3Tb99.exe

Filesize
956KB

MD5
ee13e683d9c6cb93c95d3d823a6123de

SHA1
aa0f68587ae143d81e882d6243744427ca65c189

SHA256
089fd6648a3fda336463b3c4a8c6212ce5835f8b382cfaa33f8848d8865e75f8

SHA512
ef86769c1c55c5995f9a2cbceb24775437d0e5c262ffa397eda9956082089d1a31e6ef38b066bc896934dc4ed3b76dd2d2ba4c41a1aef9436db8a44e231bb0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4lH972kJ.exe

Filesize
486KB

MD5
529676d2ca3cecdcd4b2d3c62ec1e58d

SHA1
e898f87e9fe6230e095fec62b69e304d7d3c6e5d

SHA256
49f86c416d87d326ed5df7101c2cd75ab97dbf8bbbf38c28ccd09f037af77642

SHA512
5be77c8c60d0ec36f8883f8c5a35625b7c8ab88890212318f2381478d69bc84e5cb600b035f780b343837591ac23ae24d8a410d22324d8c9bdcdd70b084eb5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zp5Qh23.exe

Filesize
654KB

MD5
6d34ab244be8d4b881f3805de9313658

SHA1
0198bef2a94ddb9e222f7ceef3e50bcc7a7782c5

SHA256
2248a5f6cb46db93f7138cd6ce87bbe7613d58e10a495e77891d11aeabcc6785

SHA512
cec25735ed3d8bb5a0145fd2af89d5722e006f75e32ad868f9cea93bdb52f8da1fe8bed1ae949b64275f52683ac4f7c7c1d9d92f5439eba04a31539c667d8968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3oN74eX.exe

Filesize
296KB

MD5
00493b7045057a41fa7891705548109e

SHA1
8b79b334a80d51ab0f8f6cc7932c0cc188d6f6db

SHA256
73d30662a7a7ce7661f575364d91abe548aa612948c47bb20f453131aab52abd

SHA512
a2c548e5fddfa1ac55fa39ca67dca052e9986cb148966ef2024705eba6c6768433090d9a5b6e972fe0904a16feffd42efe8016324d7c56bcdd35e79328ffb9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aZ9fy75.exe

Filesize
401KB

MD5
8b1a28d1c6e2e34838df978e1126dd12

SHA1
1c60dbf6e01597edeb3a3bd29825dc594b9b67c2

SHA256
75f4c366d2ec1514a6fc8c09f618ec754afbbc253c8b478db8a57300f76413b3

SHA512
1e7064fff6817608262352a90b7fb56cc1e9daeba994ed8073bf68e750c76919c43bbffcaad516081ee8b225045d6ffd4493d63b3bce0e3ed27b7744ed521632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1LV10RC2.exe

Filesize
279KB

MD5
7f476b02c652f3bd9e1cec054ef5e5e8

SHA1
35c3848fdac6c91ee3db5e2e328615fac57057bd

SHA256
4283ccbae7701d5ac2d92d326f430440ab4a1bd52d26a9c89f77175bdfc0097c

SHA512
29dfa157bde47661a4317e997ec0a1d67884a25be161e331609cfef8e5915ee2bb50b7fe5767d7a03a8bef6d265937dc80d5884aee98c7c0c64f127a889d4ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xV5613.exe

Filesize
447KB

MD5
b9c562aeb8fa13457b94d7083017860d

SHA1
d92f5294697ce14c451039e05da3ed30365188bd

SHA256
aa3377be3bc74b0885b012fe91791763881f3e0ea74f6abff7c5f3706977da9d

SHA512
6e84804f9232296d821ea641f1fe31c6e75e5e28eba1f0907e1ce58bdd30bb33dabbfaaa32a065034d1077812715e3c60e23e59a94c53a35d391ec57a68cd8a2

Download Submit
\??\pipe\LOCAL\crashpad_1772_HBBGRHFXTMIAAVDM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1788-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-44-0x0000000007F80000-0x0000000008524000-memory.dmp

Filesize
5.6MB

Download
memory/2128-50-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/2128-45-0x0000000007AD0000-0x0000000007B62000-memory.dmp

Filesize
584KB

Download
memory/2128-54-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/2128-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-52-0x0000000008B50000-0x0000000009168000-memory.dmp

Filesize
6.1MB

Download
memory/2128-53-0x0000000008530000-0x000000000863A000-memory.dmp

Filesize
1.0MB

Download
memory/2128-56-0x0000000007BF0000-0x0000000007C3C000-memory.dmp

Filesize
304KB

Download
memory/2128-55-0x0000000007C50000-0x0000000007C8C000-memory.dmp

Filesize
240KB

Download
memory/2488-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4600-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download