mystic | 248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b

Analysis

max time kernel
865s
max time network
871s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe
Size

1.8MB
MD5

18cbe55c3b28754916f1cbf4dfc95cf9
SHA1

7ccfb7678c34d6a2bedc040da04e2b5201be453b
SHA256

248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b
SHA512

e1d4a7ab164a7e4176a3e4e915480e5c60efe7680d99f0f0bcbd834a4bec1798b951c49ef5c0cca6bea3c2577b475de3c51b2ef1ae70b525d046eb06591f7110
SSDEEP

49152:Eau0Bnly1l8B6hLa5vMIKHVo5W1v2mS0la98MT:Nfy1Wo+JK19eFE6

Score

10^/10

mystic redline smokeloader frant backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/1324-66-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/1324-67-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/1324-69-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4872-77-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 8 IoCs

pid	Process
2516	Yt8ge85.exe
4904	GY4IC43.exe
5064	hE8Zq97.exe
4956	1Zn59od7.exe
1456	2PO9885.exe
1452	3FD62NB.exe
4256	4Ii975UD.exe
1076	5uR3lF9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Yt8ge85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GY4IC43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hE8Zq97.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 3088	4956	1Zn59od7.exe	91
PID 1456 set thread context of 1324	1456	2PO9885.exe	96
PID 1452 set thread context of 4176	1452	3FD62NB.exe	100
PID 4256 set thread context of 4872	4256	4Ii975UD.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4796	4956	WerFault.exe	89
2532	1456	WerFault.exe	95
1712	1452	WerFault.exe	99
1700	4256	WerFault.exe	103

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651354473176977"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3088	AppLaunch.exe
3088	AppLaunch.exe
4336	msedge.exe
4336	msedge.exe
2364	msedge.exe
2364	msedge.exe
4764	msedge.exe
4764	msedge.exe
5108	identity_helper.exe
5108	identity_helper.exe
2400	chrome.exe
2400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3088	AppLaunch.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2516	632	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe	85
PID 632 wrote to memory of 2516	632	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe	85
PID 632 wrote to memory of 2516	632	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe	85
PID 2516 wrote to memory of 4904	2516	Yt8ge85.exe	87
PID 2516 wrote to memory of 4904	2516	Yt8ge85.exe	87
PID 2516 wrote to memory of 4904	2516	Yt8ge85.exe	87
PID 4904 wrote to memory of 5064	4904	GY4IC43.exe	88
PID 4904 wrote to memory of 5064	4904	GY4IC43.exe	88
PID 4904 wrote to memory of 5064	4904	GY4IC43.exe	88
PID 5064 wrote to memory of 4956	5064	hE8Zq97.exe	89
PID 5064 wrote to memory of 4956	5064	hE8Zq97.exe	89
PID 5064 wrote to memory of 4956	5064	hE8Zq97.exe	89
PID 4956 wrote to memory of 1148	4956	1Zn59od7.exe	90
PID 4956 wrote to memory of 1148	4956	1Zn59od7.exe	90
PID 4956 wrote to memory of 1148	4956	1Zn59od7.exe	90
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 4956 wrote to memory of 3088	4956	1Zn59od7.exe	91
PID 5064 wrote to memory of 1456	5064	hE8Zq97.exe	95
PID 5064 wrote to memory of 1456	5064	hE8Zq97.exe	95
PID 5064 wrote to memory of 1456	5064	hE8Zq97.exe	95
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 1456 wrote to memory of 1324	1456	2PO9885.exe	96
PID 4904 wrote to memory of 1452	4904	GY4IC43.exe	99
PID 4904 wrote to memory of 1452	4904	GY4IC43.exe	99
PID 4904 wrote to memory of 1452	4904	GY4IC43.exe	99
PID 1452 wrote to memory of 4176	1452	3FD62NB.exe	100
PID 1452 wrote to memory of 4176	1452	3FD62NB.exe	100
PID 1452 wrote to memory of 4176	1452	3FD62NB.exe	100
PID 1452 wrote to memory of 4176	1452	3FD62NB.exe	100
PID 1452 wrote to memory of 4176	1452	3FD62NB.exe	100
PID 1452 wrote to memory of 4176	1452	3FD62NB.exe	100
PID 2516 wrote to memory of 4256	2516	Yt8ge85.exe	103
PID 2516 wrote to memory of 4256	2516	Yt8ge85.exe	103
PID 2516 wrote to memory of 4256	2516	Yt8ge85.exe	103
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 4256 wrote to memory of 4872	4256	4Ii975UD.exe	104
PID 632 wrote to memory of 1076	632	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe	107
PID 632 wrote to memory of 1076	632	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe	107
PID 632 wrote to memory of 1076	632	248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe	107
PID 1076 wrote to memory of 3044	1076	5uR3lF9.exe	109
PID 1076 wrote to memory of 3044	1076	5uR3lF9.exe	109
PID 3044 wrote to memory of 4764	3044	cmd.exe	110
PID 3044 wrote to memory of 4764	3044	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe
"C:\Users\Admin\AppData\Local\Temp\248fcc901aff4e4b4c48c91e4d78a939bf681c9a1bc24addc3551b32768f907b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1148
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 576
        6⤵
        Program crash
        
        PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 600
        6⤵
        Program crash
        
        PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        
        PID:4176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 576
        5⤵
        Program crash
        
        PID:1712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 572
      4⤵
      Program crash
      PID:1700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.tmp\9760.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8f9546f8,0x7ffb8f954708,0x7ffb8f954718
        5⤵
        
        PID:4292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
        5⤵
        
        PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:2264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        5⤵
        
        PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:4760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
        5⤵
        
        PID:1264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
        5⤵
        
        PID:4596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17452504544891897505,16874425720222747423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
        5⤵
        
        PID:5032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:3888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8f9546f8,0x7ffb8f954708,0x7ffb8f954718
        5⤵
        
        PID:1060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10836221626593307347,11876089297897806218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        5⤵
        
        PID:2064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10836221626593307347,11876089297897806218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4956 -ip 4956
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1456 -ip 1456
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1452 -ip 1452
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4256 -ip 4256
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb9f82cc40,0x7ffb9f82cc4c,0x7ffb9f82cc58
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2348,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3916,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,10585971764204554789,16760972556830923433,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:1348

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
1e44b59b0381d269602e644b4175592f

SHA1
06fd9d0f1d4e31913d58b69aca85ce8ba6dccad6

SHA256
980f9753f254994604eb2077fd2e705a711e88f90c56bb2ba786fbe8b438fa32

SHA512
5e502ea4c009fa85eef19367c9c4f40d19d0fe69fe994d6c3f0d6969ffaa704a509fef2d8b51473c697a98ef4f8b0f4271611e4f17dff7ad6bc32dfd6dd336da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
32ef000063feb6439a4567c71d5dad85

SHA1
4e8b832e4e4638be0c9685ca95d460650b8d3469

SHA256
37f5643f4463dbb90acf4dce69505f31b16c885a247e006052c8d6a6a4ea3476

SHA512
2cbf7d6fccd12745f38241e7757df0aca8da7d6d7f42caf8b8849601efd9249de4638b1226f5c2a3a6b78bcb18d22e4fd8a849a8655fdab9966c92adbe57809c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e8eaa377e19d847e804639337845ce16

SHA1
def7a2c4aaf9a5aff46a6928909fe31060f245c2

SHA256
a57831f994f8fa38dc15ea9b3f946b595dda53ffe281b33e3cdcec236ba976d8

SHA512
ca8afeb037bc51e475fbefffe1ac921e97670352c5c39747ed375e7dbf9071a3eed5766dc44a89d17da185929d3493987c0449103626a640d2dfd62fe2ce850d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f59afbf66754f44b47e4b8fb0801c213

SHA1
31938dafa6b88f5c8f4308cef05a0adee3732754

SHA256
ae98ec2a9871b195e687edb4165fb9b573eb69c2e596d4aedfc6969064651b5c

SHA512
440b1a8ca8b2fd7793995aa104d67e33d37d947d6ef4e6bdf87d02a1bc070c754410ee1e1791b4f60a226e36da82ac0bb7229fada27dc855b6c64e97e22fbecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
00a71d54e7899bfeddb01155890f7614

SHA1
1f56956f7fe34ccb69e5e7138bccc51b8b955b43

SHA256
d37259d5f9dd52646b63f1cb5129626d379ce17f13f1b4713186a9126707647a

SHA512
31f5fd9da8bda2a78e57c19ae9d9b65e436fa6a0d4115dce83bd24fb7eb3d8daf03ab749277a54005d4a176ca856eb8bd46c8343835aa5b17fcb2ae7d82247d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4b719a811854cc97e250bead4c34b855

SHA1
970ac13ff5c65140219af65290d0c2d5ba4c3483

SHA256
0e3389400b60e4ef1254444de57e16e788f6aee5e170614f3cd95c31b5b0051a

SHA512
a897bf3ab94877104e24754e549f8197f18798f640d1532e43704f1954c394237ce7c8fac505e6d2abcfe9ae62a33cdde7846521a0e32baac721fffea5173a40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
79388f1be2a1aceef6259d605a536070

SHA1
8b5f53314d0e264e582190e7d2e2f441cf49c038

SHA256
7c5e4a20dd8efa33233cb2f59b1f858325f3995ff3c91b3e893761617a6d012f

SHA512
99ecb9ff21c1f016c8f29269b424462b79f937b6192f2595f96361a6e8e28be600610ce5830f4964a00e65c3ba2f0b947c9b657514ecbb73bc911056e5709074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
2289e65c6d944b51108cd532b3df868c

SHA1
f3c50dcf3cf082f1a2d4ff82fb3d84529a113b3b

SHA256
9160e72676590a6e9b5654d3df01bc2f5b541569cfe99dbf97aace8b82ee5de4

SHA512
1bcfdbc81e2a37555a1e1043ae6e78acd4a09bad7e0e20272bdb00e7383f38b0db3a472ee342f66d2498b97f95e0078c9da84533dc823ebf5fdebd9e8ef70205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
52a1fba058313e2150755736b5b6b219

SHA1
90fb3b47d28285a21ddb42ac594fcf6670ad06cb

SHA256
adbb38e83338e8f8be07b27d013bb43754bca8133d14b225ba9663bee44ca88b

SHA512
98f138263e8333e4a948b2e9eebc3435c954f6a0d1e2cf58263b3af4878760b7343b8792d489945d20f04512c75e404a63b2cd1e692481de64b4c7ec7bb3c15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
049cd22609724f9d1119437b38530ece

SHA1
10d242fd73876d6470455f11dde5b95ac38e3d78

SHA256
ba51ae2cd8cc0265977ad920f798f14bacfe29e0d838683c092452abcfd31093

SHA512
1548de16c2e08eb0ec857efc6a3f6ed68a1a2f33a7e1110e9d354afae212b3a8b940ba1130d69fd8149db1aafee7ebf1aac070c58fa7f6824db60dbfc0c39c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ea39b1d552a947e1b967911e5ea7491f

SHA1
af8a487a2bab5c683c5e962f78f2047f6d2f0335

SHA256
e9791a29c2d68ba8be6fc9356cea9c023088fb3ccdc6f9fd6c834e7f76aafe68

SHA512
f1dc029cfe4237abb6af92acc23877f5627e0d0044768e311b4ce1850b04ba51234f2656ea281b66b80a3cae9ba0c3a4f7b1ca462dafce4cb34860a633bd5603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b92a9f448e43ed904e5c34576c5b3b97

SHA1
764f4aa109c97668d08278b6ee990387191c4ee3

SHA256
5baf87f6dc61262a0b8618fbe476e1fcb5e6259b0b34c0fbe5f93271ffc7915c

SHA512
326b8593988c8351435543b754490d74f42723508892496c8723c570b0efce65574fa60e31d3540d9faa93c04dfb9241828d0e54491703bdd46fd547e33ee89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9a3ffb4036ecb70ca682122c948ec2a8

SHA1
ed6d4a30e39c5dd4197cbcbf12cceab67bf372ee

SHA256
428463234a0ae1f068a7f6afbf003e0418aef54bc6f03ddd0afe5219a3010a13

SHA512
97b46014c36e133255fd2277b843c3babd8c429b9c5d750184757f294af0a2c82870d787ae7577548ec124ff493881883071514dfe1b50a3d6ce0ef95d485b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
003fee1e5129039f8d49edaf6c80c1a6

SHA1
a103490a2ac24b0540a2b0008475ab2994cdf101

SHA256
7b08a26f6c4ed153831102d390cf7f4e0748deadf90bb22ce9baae3ae1eb96db

SHA512
35fc5e7d5285f6b2d8606cb651df941bbb675d5b5306b68e208ff52b3ba86901eb085ea95402f02213b698c6b71122fceea3675918c3d30311217f46ff84a887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70a401eaf61e298ad761e14eeeefaeeb

SHA1
4e7e4b132facc49266f1e1815b462fd612ae5766

SHA256
cb07e29bfc0b919a2e70993a499d689e5880b1731a2307c318d8cdfff8da8dd9

SHA512
7599447d686d403d625bffa4536202641b84179b71fff9df82567801a4ef301e748ad1030199342118a2d24a2fb04fa4428dd93c9fb8da985b8a59e3f48d1637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
630d74744605c3bdd8463e63027532f1

SHA1
7bdc9fc513c1fb2fdf7b3f29796f9542afda9bc5

SHA256
dde0ccead67a388c5d0a24e34229e9aa3770b8eb425dce4f120fd0145186805e

SHA512
2ce5caa617f00a0bbf794a23e85e2531614ee51e577849f261a085e661d4e3cf49d32de264424097408a8ebf526daf65dc3d434c1dcea84092e5027078355e02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
572adbb4b49e6bc394134c8471e91287

SHA1
35a1116a7ddfb179c1a909879bacbeb8d7e286ad

SHA256
8faecb928ef71d728d4e5a7e7c6dc27b9d732f5e7520bc02217d0c45421ae225

SHA512
ea3aa67793a536b96b7e18ee7db6b0cce710b588b6f6087099b570e5543ac73fdbad5ad18222e86e89b7f55a65b499e77a8cdd59d0b68ee06ef3d8513713b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5804dd.TMP

Filesize
872B

MD5
f6448035ef7bfec7ff9ed9b4cb15841b

SHA1
b634d97f6130165f00575fcb73954f044d59df21

SHA256
bc2477ea298656d59cdd8f5c68ebf1656c4fb07fe1c474ab85abbdc71b508fed

SHA512
f97c15d156d940d48a11c0efb67526901fb8ac1c85bc5477b145dc7ff9a0bda1a2e7efdd028dac73adce7c88d3ef66d5ec9c47d296bb1da9c754a05b2930c3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f08fd8cb60221fffa7169e32438dd114

SHA1
9738390512d4d98b77f78c035392c733ac1e2edd

SHA256
80737748102c5f2157c304bee54cc7d2f2f242f311f58da23deb5950067f487a

SHA512
43b58ef9ceefa34306f8b88cf3730266c91507d77f5b6e957f62be6bcd947e442db5baabca13506d0ae6548d5b8c4c4f6950f24a6a767caea7a26cce106407c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9bb2aed20e43acc2e317718b10d8319c

SHA1
cad04df38ae9cb59efee6446cd581125858655ae

SHA256
b61787b153b8c5e0b9dbe9cd54903f0dff780b40cbe59b6afcc88f70fbff6eaa

SHA512
e9802a05a49f7f2bcc123e1c289907d1dae2ae536ed40bc5a1aecf90189bcd7adf4850955f63f3e4e00ddaad331644dea69bc516404ca98cec37d836f02fb315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7ca54fb7fbbae8809ea3a77dc2f7b87c

SHA1
38eecbd80713ad744c68c09fab3622f9277beb3f

SHA256
8806cc5f4bcf4d62e8314e57f8d64c460c5b3e4e0be5f0e5dd569046b6d3c8eb

SHA512
0bafd37aaeb9a911c484d01d0e292dd68f9f666defa90b71d8d46352636c18c6d1e123798631e717f9514093c025caab4f0ccb3c0a799f088074b7f8c2dbc5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.tmp\9760.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5uR3lF9.exe

Filesize
100KB

MD5
e0f8b21b36fee4e7738a6b5a1ab83673

SHA1
e305d55d4d47bfa62eae5f8e6f34e5b133a6f40b

SHA256
c567d825d19e24343647ed36c77033fb1f46f420384745a9734618684cb7d384

SHA512
716e6624ff87c859d08e2bbcda1137a2386d30b5b9ef545daf2c6585bc3366561773b9ad6c719a1ad99f1bacb219544ae4556629b355250e2234a7f87d24e238

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yt8ge85.exe

Filesize
1.7MB

MD5
847ee3021803e4adaefcc00aa8283017

SHA1
87644df0985b5ef9791c72ce79f423350629659e

SHA256
4611614d9c95b0d0e4bf4aa486cc700db6e49dbef7fa2726b20f165e6798a9f7

SHA512
1aaea476c061160439439d2dadc05e451166faa5614ccf8960b592df6933d07c867ab8813c08026b8b2c35b20b03dc0d26641e228fe06cff8c4938367e515b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ii975UD.exe

Filesize
1.8MB

MD5
cfbb3be155b12d0cc69e3d932fbb81eb

SHA1
fb5ed48a80131043c4dd2e4ac69b4b38578f9753

SHA256
fd37c07f519f522eb717a372299525f667439b8b0d1aaffb670a011dbbcd58f2

SHA512
38aadedee5bd57c7f475e96d74abbb0e671bca462c2c700b7a034e2d1513bd8aebc30b7b75bf1e8cd7b7e3a831e69d5dd0ceaee3d18ed296a2cb3d1b051164cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GY4IC43.exe

Filesize
1.2MB

MD5
252043d1805587b0e65a07f885d6719e

SHA1
2210de44be60ba496ea5d4068e715c1308066989

SHA256
66839bc22b9c9f717198cf8faa64146fe95dff51dfbb8c0f61982f2e50e89557

SHA512
dbcdb0b6fe37cf2c733b6683c2e245008400c84b59450f34a794e513955aaf392982e20f2eb2fce696eec2574fe15f699841748a21fce6a1e20a4381fd52f950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3FD62NB.exe

Filesize
1.6MB

MD5
7d377f5e1ba6597ff2cfe4f92639367d

SHA1
188ab803c9926ff3448c458030f418099ea03407

SHA256
c705efd2888dfbede96714b58aede50a28b3da45aba83a909cb104ce34dc735e

SHA512
2adad69f3a358ad955b00c8d7826c396feef9d583407d4c7d53ce3e16ed760f148f553f49df5bbcd6c5c68b87bcf7e1472d3c789946b23dab7ae94b4036540e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hE8Zq97.exe

Filesize
725KB

MD5
403a939a04b4384204d35dbc659bf772

SHA1
a5424bc4b18c00fd261d71861fad75502a963397

SHA256
75d5ae4d95b66cb33ccb1b8c39adda5b287ab6c44b11aa42b8f3351024fce1fc

SHA512
860d17990d95694bd7e799b22e6af6fd93a20276439829e945f9aff079b6c708851e8b3e55200b8ef97d41d91608911a414b4a69c26e5593b9b4ca8a134ddbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zn59od7.exe

Filesize
1.8MB

MD5
ca7a5693b5b0e8b54d6dad6a5b1b86b5

SHA1
49da08ec9be5e002b0d22dd630182c3a905c76c7

SHA256
2d66fdf0417c3d3612015ff191a2010f78fffda1b1f2ed7682181ed7c8fa7c12

SHA512
68ac5c2bb689bbfc903cd2a13fe9ecf998b442690ef41d88f611ce40cb8cca1d795099cd40bc7f5325203e6314baf6a537d8369be78ecb1703f8cfc75cf26158

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2PO9885.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
memory/1324-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1324-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1324-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3088-48-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-62-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3088-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3088-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3088-32-0x0000000003000000-0x000000000301E000-memory.dmp

Filesize
120KB

Download
memory/3088-33-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/3088-34-0x0000000005570000-0x000000000558C000-memory.dmp

Filesize
112KB

Download
memory/3088-52-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-60-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-35-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-38-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-40-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-42-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-44-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-46-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-36-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-50-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-54-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-56-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/3088-58-0x0000000005570000-0x0000000005586000-memory.dmp

Filesize
88KB

Download
memory/4176-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4872-87-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/4872-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-78-0x0000000007BA0000-0x0000000007C32000-memory.dmp

Filesize
584KB

Download
memory/4872-79-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/4872-85-0x0000000008C40000-0x0000000009258000-memory.dmp

Filesize
6.1MB

Download
memory/4872-86-0x0000000008620000-0x000000000872A000-memory.dmp

Filesize
1.0MB

Download
memory/4872-89-0x0000000007DF0000-0x0000000007E3C000-memory.dmp

Filesize
304KB

Download
memory/4872-88-0x0000000007E60000-0x0000000007E9C000-memory.dmp

Filesize
240KB

Download