8b69e0052d3a09ecbcda4992864a6161134d97090605dc13de9f4d17fd5cdef9

Analysis

max time kernel
1753s
max time network
1760s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord Nitro.exe
Size

5.8MB
MD5

8da6d9c15824162f4dcd124f9a85b9a7
SHA1

9dadcad383afd188c8c06add8284695f424f434f
SHA256

8b69e0052d3a09ecbcda4992864a6161134d97090605dc13de9f4d17fd5cdef9
SHA512

36ab99b27fa4a1ff65110c012f8bb704181bc7ef778534dc26002edaf094c9b2f20f724a853ec1dbec71bb7dafce8b761023dc35c05ca09164aa74dc81addf59
SSDEEP

98304:6QIZul/F4DiwTv3Ea/jk6UNyQlX+6GdC8w9FFW6kHG6bExeOyTBUEUKFE1KH+AJu:LIZuVF4DiwTv3Ea/46yX+tXQFI/HfAMs

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe
4648	Discord Nitro.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	discord.com
52	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord Nitro.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{86D3E5F2-0340-4BFB-864F-84722AD0DD6B}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1908	msedge.exe
1908	msedge.exe
3716	msedge.exe
3716	msedge.exe
4424	msedge.exe
4424	msedge.exe
5452	identity_helper.exe
5452	identity_helper.exe
6020	msedge.exe
6020	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4648	Discord Nitro.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3192	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3192	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4648	Discord Nitro.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4424	4648	Discord Nitro.exe	92
PID 4648 wrote to memory of 4424	4648	Discord Nitro.exe	92
PID 4424 wrote to memory of 780	4424	msedge.exe	93
PID 4424 wrote to memory of 780	4424	msedge.exe	93
PID 4648 wrote to memory of 5092	4648	Discord Nitro.exe	94
PID 4648 wrote to memory of 5092	4648	Discord Nitro.exe	94
PID 5092 wrote to memory of 2336	5092	msedge.exe	95
PID 5092 wrote to memory of 2336	5092	msedge.exe	95
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 5084	4424	msedge.exe	96
PID 4424 wrote to memory of 1908	4424	msedge.exe	97
PID 4424 wrote to memory of 1908	4424	msedge.exe	97
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98
PID 5092 wrote to memory of 1760	5092	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\Discord Nitro.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/NRRytFFReh
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc505946f8,0x7ffc50594708,0x7ffc50594718
    3⤵
    PID:780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    PID:4120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
    3⤵
    PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4176 /prefetch:8
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:6044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
    3⤵
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2260 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:6020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9249164833099356278,3246353565423479420,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7028 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/JkGHT-qky8Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffc505946f8,0x7ffc50594708,0x7ffc50594718
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9457813212742648785,17411552800440874542,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9457813212742648785,17411552800440874542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3716

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x3a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\69b98298-734c-4f53-b407-e7480b1c05a7.tmp

Filesize
3KB

MD5
f860c6df1b0051e465540fb77b56de8b

SHA1
bbf390f098e652ecc2ccb95aa5c2da206641fd94

SHA256
671c93317e74762ac084436e5dff08686c4d100546d6cbbe4c4be2f820d4c545

SHA512
b6a2500b14df1665711572129870e8dff880fafa8b84a4557a64d2452bedfe662b3ca63ed696a63acf9da1e85bfe13a26252aa8a32ab257435b3da902be44efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
00a647028c50af8946fd877d4b15b556

SHA1
f29d9c053c7f4ce443ae1c86aaa81adcab2a4d84

SHA256
6e24d149ee7a3ceab058e00356511104668651396388bbdacbfceefb0b62a2ae

SHA512
2465cdb686973cedc0f85d002fbf1c165f2600eacca88ae9dbc18e4a8bd60320bb1dd88fc17ca91778ae9a991b8dbbd42305ab111c0d21bbde29713f8ed9fd0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
3b1c0d83d1af5138f3dfc5038a11623d

SHA1
94bc25cf6e9a7e44daa0ff76fbaecc2680bc6205

SHA256
0efed9400b8aa3a7ab4c27cf3fb36e52959572c42282635181651b4b1af278c7

SHA512
837ee73c14eb7094f55a18a97fbb8fd4811da712e58740bea1e1680edb728660ae893faa4a65818c53840f472863bd205454bc8ecaf9010e9b05e56c38dee467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
70b718e1eb8a7bf63ab47e5727af9578

SHA1
5ea151ee125e49253b3d69c5486e9dc290f9f1b1

SHA256
4622fbe6f3a8151063c2f7377fa49519c8dfb85cc692d4f60a6478917df2c939

SHA512
6fc101c9b82dff9e7d0ab966cb205afd25df64a9d31c1f178f50277696183c811cfbb0be53f83987756a64495e97edfaee65cf81be2b5d99749f5d5be3de547f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
28a63fa525cb9bd520f722c5bd2bba89

SHA1
bdbd733d379259efdff33275970f64a275ca7c98

SHA256
2c08549790f2fc97cf020f90bcb7030e4e5430736b53106399df64440ce4d807

SHA512
4d553b852b34fefb95c5b82ada3f09e346000dc9c390426fb16039eb59b1132b1ab10ce998893f27dc53fe1d2ccda142954cf6d6edcd3bf9b472254d5d68b113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
194dc7b7f948473f6ac13e2a4fb68a47

SHA1
dc24e4b74a457153a23b33d76162598d00cd2909

SHA256
293f9c3416542f6536be18d7b8a9717fd1332f661da7b4590e331611f33ef222

SHA512
553d78f5e02a3b2c48f0979e6c89466317c71e99f9f16a307f20a754aec7466100b0501df321d004e4d63a9f753882fa90b36a4579da67b46aadac1df2d158cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
76043f84029b091e916299328b2861c8

SHA1
1b4e90eb7efb0bf288ed4a9e047e6f0edaec2c6d

SHA256
a4d60f542de4b4afc50916098197f32ee798f40f47559ba968eccc88d64c3161

SHA512
477f9cd3bd5b58c3874a0e742a3a60905488fb5245565621285bd39b41730176d296f89b5e6d1bd7d0b0d19131a316bc917dc4b8253334d2765aef318fff840b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2107f8ece90c9594b1e95b9d05ee62a7

SHA1
ad93469bf547d84ad37a00c606ea6d10e265c1f7

SHA256
ec64e56b88aa7d3f309598f8a68b23955dadfb813d3f68cb5c1c094b29c2bb51

SHA512
722529efbe0c228c00db825c0a403f508ce660567570f6f6e71911a9fd6bab4cbb241d6ab291c0e1ab3125c6115f742d4f955c9b6d31e934ef596da4e1dd22dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5917d6ccbf50711926bf018be03ead4d

SHA1
9cccfb4e5d7eeb6e97923824d419f96b53afa1c3

SHA256
bc3c1fe493549d77eef6f5ddf40f163ef28a8eeebe272769fe9379460d863d45

SHA512
0f4be0c1042df101f0793aa07469b12d6d8e5bd7df3cd11c7d44e4a007fbc995c1769d25a76ac6ad0553ba24623bb34f85374e970b83def812d81baaca1b4941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1d94cda7f3dee96d94b6bd6bdfd0d87

SHA1
f36f2991517faaf8be7a9d35acfee8c3b6ad08c6

SHA256
cbf795dde5faba1ba54b784d390c4026441d08715da9747b3e9ae16bd0b526b4

SHA512
f5d87014c1ceec741549621d6e8d0df2bf0f52c457166c053d02b66fe975cd0f63f957c7edd8d507bebdbcccb156e8c735f29b3bfaf5a27daed6210e02f60fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\baa9cf05-45e4-4fbc-873c-3be44dd49e43\index-dir\the-real-index

Filesize
2KB

MD5
15aad09275559890da12596f604c5a68

SHA1
5f51901502062d2ba17aeffe432a161cf2d8d7e1

SHA256
32f59d59b8125a723cd6138439eccd9b6d26acc78ebb5968c9ba5e86bba88c24

SHA512
0c281cbcb175059645d7d12ef30f05d6bedc1ddf4670ad1eed21cf6073ed45cb0414873ee40419ca7abb9e77dd80d7f1ac04b7e15fd0adf84640c97b75bf0d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\baa9cf05-45e4-4fbc-873c-3be44dd49e43\index-dir\the-real-index~RFe58f71d.TMP

Filesize
48B

MD5
b48b0f0aa04b7b88935c179d71f2dac9

SHA1
16a46fc562e7b26e08fe6e94e4c7b8f4c1979520

SHA256
c3fd645a219732b3c51dfa24c7df8088cddb761302f11e96654b339ee0848a7e

SHA512
40d4ffd5db981acfd7415101b836f74a7e9d7d3700bb542bd1a2d5dab9ec8ad5f8b69dfffcf14bd657bbee63d315bd19ae41c731de7fde6ef22202880d58cf8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
d9df6330c7167c36707e9b689f57cf5f

SHA1
2e660636fa1e4dc516a32b553615c1a049984666

SHA256
1bb6afd3d473f7d7c7c28157e4be426302089a27211824df581c0d4c49f5d0f9

SHA512
a9aeb8560f4eb7c9ec27b56e23106e7d57a030803e8fd364a1832b4a48032fad76859465b6d16bb13c0682060289f70928ebf132e3f95d52d19cfcca3f3a728f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
03808a7971d287010f9faaed2e638355

SHA1
c324c233e7b83c36b532da162bcb0875e0f1743f

SHA256
671c7aae6ef034b14eb7765f007f344e7c41cf76eccb02695244920067692af4

SHA512
50e36425a08e8a23a085589f46fb436e413c65c5b979759b721ea1aa159024ebf221c779e4ae922ab435fa2885269be7775f735881ec96049b14379b79636fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
91ddfbfe961abe88061a60b7b7dcb477

SHA1
03ac04a96221c1922c0a2ed63941f0314936eff6

SHA256
db9589d1cf2addbd9013b000340fab4a422064d586aebf11261822bd9ece45cc

SHA512
4103a899c5dc363a34ef5e975beaef3b1340b5951b6264bdc76a60f6df422aa0dbe6be19aaa7520ddcc5c2f511036b2f9e380f24cea84057c6c371860bd0d909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589ad4.TMP

Filesize
89B

MD5
f90ac034053db47da531c9dda1ce6af9

SHA1
0cc954e910e3368a6f5ef35c2158a295c96bf680

SHA256
606fb7c881c376b9cdaf604acff98644c67699ea4b192f4d35fa7717f11d031b

SHA512
41b7eb7c4b450daf30368b920e6727891b66653afda03758492b3681a378573a96b81838628faec698040cdca723e1b6006322d244c65c96511093aa5cd67a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d388ddfd29226cd953e93e31233766d2

SHA1
857037839e92a57ce9ca65c5c4b3f2ca526a4523

SHA256
9e085511318a93b0c4362d117c69892285729d4e6b63119aa170056c47d2b47d

SHA512
d433109dcf4e8f8a7092e203d76ebc8ce97ae599b5ca44619428fd042218502ead6944a47d879defeb1082a25aeb9584a51ad79ca9a8898b81d6473d62b05228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e9ee.TMP

Filesize
48B

MD5
05602a6e608d63a31e4252f93e6b00f3

SHA1
fa434aca0154c3c02cc2527b9ed06b191e96a055

SHA256
13adca2f0239f13444ac2e182865fe616f9a20049a759453dad4b0244863eb2d

SHA512
8e40f18d8ab0aea11b22470deac16f2dd5ddc78efd08afd37b921396189de0c940ed296819ea66516b73533f2ff5054b9bc3b30dee6c0b258de05d693b82bc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
762eee6b04234e5a4ae2e68557c85964

SHA1
01f8f7b15b9bb1998b163194052ae2245c8923c6

SHA256
0e2696c599d7c6ea1a09aa090186ac2dfa58e9b39dc0c07a7b34a13cedb052f8

SHA512
125b287a86c0c68798cc701f26ce138cbc358511a0e82d3f67ca73ada9b67c911c823299ac5b255e3adeb6a31145b2edeb4d4f811e1040c350bdae7086eca87a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d6b22891adbeaaae7e37b9f9f87b62e0

SHA1
ee0dbbd5b7249485b8c08b913a436beb539d549f

SHA256
adac20705ac59b5abe9cc38d82ecf4ebac2785309614b5ff9adf128075236e68

SHA512
f7586530dfcd5f59b369e14ccf95dd6f9f5d8d21e16904b17eb7436dafa5c351b4f1bf41f209cbbec7514b8a536667afc781e23f05e16ec9de9707e903ff6f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e9e5752947062bb648b9afcd7f052a7

SHA1
67ba23f85a3ec33362502282b5ba4f7552644585

SHA256
609501805ab484ca25346a729c4e8868f2300b9a0efb64ef7caddbb503185227

SHA512
a35abd537c4dead249fb087c2082791ef9c97119280e0ea1d748b226cd47dc4712e4be6d0dbba6d3449b2fdfd5a8d900289cc92609c12fb683d8f56d606c4710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f67319f21a543ae726ef866eaa4c0ee

SHA1
b6e8f8346f00e4c23a4fc0caa1e7948b245b8d86

SHA256
d917ce45fa0ae995098bae8579026c3dce4e6c4eab4de779d527be2daa4031bb

SHA512
45e1cf60e30b8d34f07f812e2148731127c02e39b88c0ec91733ba08c91422f5d789b8aaa54535fb31f921065f85a99d1aaf2a839bd90320d8fdbaf11c08eb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e408873228dd26bc57c8f7469d92f772

SHA1
a78fe9a77a7310b61f4a1e0cb16a7cb3a325f69a

SHA256
32ad32ed622d7ff9e34ba6ea3c060a76ec25e1dd9bdb4c791a5500e668fa627b

SHA512
3bd0fd523722982ff666e1627aebf7babb6488a73e440ac36bc68cc4e9dc908017f1c78f5f794084042f9e93a487608c15b87920f2800944c8e3c62175b2ff57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58de93.TMP

Filesize
1KB

MD5
52d58a6c86ab782910c18cdd4e6efdb6

SHA1
ca700cdb651355e087179c74f898047705fee6c4

SHA256
11f10f16dd6aaeee6c5e22d67e7fce2541e9d94e9d6b86eeee4c525141370243

SHA512
a247017b5dde087510bbc8219c465b7e96bef08fa6fb87dd4c2dd8db44874ee09cf5041812173e3c9d9adbae62c8d2318a31cd851336e55a2670f55e9020a53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
76eb8aef0b09dc1ffc759153d24a97a0

SHA1
25ad2b51879ff9d1450969e644d959e83de4574a

SHA256
0b5538296eb5ca43786351a45c75aa1078c2f878469ea776eaab2e24814a7354

SHA512
7c555bf2ce7f30aff690775f98518763a6ce3e8370a166532aad29f440eeb12a4477f9388364a58867bdee1388da8e2922b501939697f5b988a3f437c7b4bd09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd0d03b38957a3a196d8d598ffc8d143

SHA1
e29dd0a5f195b5ec0f3129c04874ac7d26c3ee8f

SHA256
c71ca3f5075a3c5aaec47154a5a2c4de749a88d34290c76b337c57f8a30be661

SHA512
2b62802ca3b612009039c828ca0b984224825cdffbe05e287196fc334dc478c315e84e33713fdb16aed9dd88487b1d563f042edd02a86fc5849670fa7b7c8c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\GetSetMasterVolume.mfx

Filesize
115KB

MD5
95bd1478d106476c63ed50dee89716cb

SHA1
e0f2ce64fdbd11bfe29792612761a137d61b3d6f

SHA256
5f83e1e1dca0b5937ede1c92db92493172e17f762abd9c5ab38f7072b73c17e0

SHA512
44550c7443166cc5f0d65a69d6d2e39522e4f5226a5801e00053294091e715877243e2927ad7f741e62c5f99998a9f89713854092a6fbcd2e0d1f3c0eae96507

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\HTML5.mfx

Filesize
28KB

MD5
94ba2e93d991571751af1d5d2686e247

SHA1
dfc1aa2eb5741094ff46e14f2a5f2d5b4b7a3a66

SHA256
80f73982c7162d04e95621b11d6a9ecfe0b79f6f678c3f09598d4d7fac72d839

SHA512
57c667b412b2320fb53ecc871de30895ca28f66ad7cdfa2a41d7daa635bf3474b81a1965f277710c824c3491bdca4fd20a8defb99f34eaea053e313a83c1228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\WndTransp.mfx

Filesize
65KB

MD5
6f93111ce72225daab2bcdceee48d204

SHA1
1a5156f6e00b47dd4197c933092578aef49a66de

SHA256
e8a1af555a3d39b1cb0c6bf6511158d4fd48a1e4e2dac60a6f54af4b486f60a1

SHA512
44549a2f29c9b4cb217065cc4f670afe84691fcc9d0bb4898cd8caa408256015b1abc1c29b6ce4083207e56f339f0843757ae07d01e2a2bb945b6ddaa4c8d3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\bigbox.mfx

Filesize
84KB

MD5
ad6530e01a4827fba383291847e33036

SHA1
6ec72ed182478c050807c0e3270974bf34304aaa

SHA256
a427377e56a804f82a5bcf07b7d5afae920f8bbda2dc5f52ce6a7f84448a8bb1

SHA512
33cccc49302f3c257a3ed3b9d3bf0b2dbb347ccba3b6196a01ac317f83c2bd47c5cb9bf47fb677374b95590d62f5626aaf246a318999a4b07c5ee60c4c4ac863

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\kcedit.mfx

Filesize
32KB

MD5
e0cdbe134b5b60c920eda184853e32b2

SHA1
4370e12c54a4ce0a563dfd2212aec9d705cb1133

SHA256
c229b36ce4e3cf824844931c0dfce165da22c234397cb1e8258d05f86decd053

SHA512
1c88267b0e26dfaac0eacdf6d6e20c336b1d4cf6ba38ed1c46b4c8f8881174364404a138f2ae6851e2968bd2f22b31724edc7598c61d620b27e58af53a4dd0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\kcwctrl.mfx

Filesize
12KB

MD5
14e1d33e5c9db83a0dc3101f712b2802

SHA1
37eb0cfc5336681275b9c4e0badc7e25018336bb

SHA256
2f0f00f42917792c0c3ae4640009dedee3c96408173211e44cbbdd6a04f4afad

SHA512
0c0524b2a2b4f64592bd96486cac5f080adbe8971c8d84d6d240656420c01bcb53d12044a8fab220ab5ec34d3978a81e1d2cc76306153a176a57e88a035372a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
22284d6bb382967ff72363f828050e13

SHA1
5c98e25d24aacafffded9353c9526be0128c6dbd

SHA256
9eaa342059785bd584df956574c637e6d0e6016a099221a56e0397f8c86cd93f

SHA512
2e5a5bf115b1d2a07d0647b6f4925ab84301ca6354e3f3beb8d44f51900ff21b06b97b23128160fd94dfd33116d03094ca47c49143ae98473eaaed441f9705b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\mmfs2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\mp3flt.sft

Filesize
24KB

MD5
7beafd3ec0c36a1422387c43c49f68ff

SHA1
240e7d8534ed25dffb902a969826f4300a88dde6

SHA256
cd5bd7cc59eaf42bc0edf418ce6f077f9db369d5e3c414107b82492a877a6176

SHA512
44101803bd757bb7a84577aa1c087472a619da732dcdb3947b683cd7a7df30931e4c9973e06532859f9654c4ad3635db205e41fc7214a0f52537be91e87b2734

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\trackbar.mfx

Filesize
11KB

MD5
6582026b7e26357a9e81b285c5345aa5

SHA1
cfbf1fa1fa570621fcda9e190a1195d3f8369f28

SHA256
5dc16eeab508b3c63a24f68c0d751c85f1882c102e09b975a24b4ff9f4d361c9

SHA512
ad900dba76603526bfdfe01e7ee4cb06d90e575f2ee8e7e56c246387b9decf0c241d912bf267ad5453c1f2214dfd17e8749eac60afe93b1753f34ca251f558d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt703E.tmp\tts.mfx

Filesize
104KB

MD5
1f5848fb81b9f01651312cb19af966f3

SHA1
65998c1a2b9ca5451a42f26c1f7604e6bd90cb9e

SHA256
dc25166a9f5845deb6e50491f4b4c9e786166b1dac39e8a30603d02faaf4db6d

SHA512
285b2fcf126515e0729bbcfa14306e4469c862497e05390d9eab6338ff27b7a597f46d0d059eb135d5b335f05528a77a5b4bfa7411bcd0938d572d6ef1d421d2

Download Submit
memory/4648-41-0x00000000013E0000-0x00000000013FA000-memory.dmp

Filesize
104KB

Download
memory/4648-23-0x00000000013A0000-0x00000000013B5000-memory.dmp

Filesize
84KB

Download
memory/4648-48-0x0000000001410000-0x0000000001433000-memory.dmp

Filesize
140KB

Download