raccoon | bf836fa08f437e98267a44e0d4aaec5cafb62bc72b5f6c9d8f7a643ce0e5e885

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2022 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
Size

2.4MB
MD5

4d9abf7905ad423200a067568f45a2e6
SHA1

a19937f1b03ccd9575478369a5666c04080241dd
SHA256

972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de
SHA512

10db66702b4c8fd375957cda8b9657bf9a5bd184c9b9b232b6e2ade62d841dd9fcac91cb1d88819ef23b6b680f946a72951a6099d9718e72e1993059b5994ba7

Score

10^/10

raccoon redline 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.84

rc4.plain

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-196-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral2/memory/3192-190-0x0000000002260000-0x0000000002276000-memory.dmp	family_raccoon
behavioral2/memory/3752-212-0x00000000001E0000-0x00000000001EF000-memory.dmp	family_raccoon
behavioral2/memory/3752-246-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon
behavioral2/memory/3752-284-0x00000000001E0000-0x00000000001EF000-memory.dmp	family_raccoon
behavioral2/memory/3752-285-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
behavioral2/memory/1940-175-0x0000000000A70000-0x0000000000AB4000-memory.dmp	family_redline
behavioral2/memory/1420-178-0x00000000002A0000-0x00000000002C0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/4688-173-0x0000000000730000-0x0000000000774000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline

Executes dropped EXE 17 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exeEU1.exemsedgerecovery.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
3752	F0geI.exe
3192	kukurzka9000.exe
1940	namdoitntn.exe
2500	real.exe
4688	safert44.exe
1420	tag.exe
4260	EU1.exe
6868	msedgerecovery.exe
3708	MicrosoftEdgeUpdateSetup.exe
4576	MicrosoftEdgeUpdate.exe
3148	MicrosoftEdgeUpdate.exe
3432	MicrosoftEdgeUpdate.exe
6876	MicrosoftEdgeUpdateComRegisterShell64.exe
6076	MicrosoftEdgeUpdateComRegisterShell64.exe
6440	MicrosoftEdgeUpdateComRegisterShell64.exe
1340	MicrosoftEdgeUpdate.exe
240	MicrosoftEdgeUpdate.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe

Loads dropped DLL 11 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
4576	MicrosoftEdgeUpdate.exe
3148	MicrosoftEdgeUpdate.exe
3432	MicrosoftEdgeUpdate.exe
6876	MicrosoftEdgeUpdateComRegisterShell64.exe
3432	MicrosoftEdgeUpdate.exe
6076	MicrosoftEdgeUpdateComRegisterShell64.exe
3432	MicrosoftEdgeUpdate.exe
6440	MicrosoftEdgeUpdateComRegisterShell64.exe
3432	MicrosoftEdgeUpdate.exe
1340	MicrosoftEdgeUpdate.exe
240	MicrosoftEdgeUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 64 IoCs

Processes:

MicrosoftEdgeUpdateSetup.exeelevation_service.exe972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\MicrosoftEdgeUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\psuser_64.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_el.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_fa.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_hi.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_mi.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_it.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\psuser_arm64.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_kn.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_bs.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ca.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_da.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_lt.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_eu.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_pa.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\psmachine.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_iw.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_zh-CN.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\WW1.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ar.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_sr-Cyrl-RS.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_mk.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\MicrosoftEdgeUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_fr.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_or.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_bn.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_id.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_mr.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ru.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ur.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_es.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_lv.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ta.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\recovery-component-inner.crx	elevation_service.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_cs.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_th.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_sr-Latn-RS.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_az.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ka.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220730034655.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_gu.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_km.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeUpdateSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6948 3752 WerFault.exe F0geI.exe

pid	pid_target	process	target process
6948	3752	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\MICROSOFTEDGEUPDATE.EXE	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exemsedge.exetag.exenamdoitntn.exesafert44.exeidentity_helper.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedge.exe

pid	process
5408	msedge.exe
5408	msedge.exe
5604	msedge.exe
5604	msedge.exe
5432	msedge.exe
5432	msedge.exe
5420	msedge.exe
5420	msedge.exe
5440	msedge.exe
5440	msedge.exe
5648	msedge.exe
5648	msedge.exe
5664	msedge.exe
5664	msedge.exe
2500	real.exe
2500	real.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
1420	tag.exe
1420	tag.exe
1940	namdoitntn.exe
1940	namdoitntn.exe
4688	safert44.exe
4688	safert44.exe
6728	identity_helper.exe
6728	identity_helper.exe
4576	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
240	MicrosoftEdgeUpdate.exe
240	MicrosoftEdgeUpdate.exe
240	MicrosoftEdgeUpdate.exe
240	MicrosoftEdgeUpdate.exe
6116	msedge.exe
6116	msedge.exe
6116	msedge.exe
6116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tag.exenamdoitntn.exesafert44.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	1420	tag.exe
Token: SeDebugPrivilege	1940	namdoitntn.exe
Token: SeDebugPrivilege	4688	safert44.exe
Token: SeDebugPrivilege	4576	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4576	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	240	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

4344 msedge.exe
4344 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2476 wrote to memory of 3524	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 3524	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 616	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 616	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 3524 wrote to memory of 4420	3524	msedge.exe	msedge.exe
PID 3524 wrote to memory of 4420	3524	msedge.exe	msedge.exe
PID 616 wrote to memory of 4412	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4412	616	msedge.exe	msedge.exe
PID 2476 wrote to memory of 4344	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 4344	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 4344 wrote to memory of 1592	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1592	4344	msedge.exe	msedge.exe
PID 2476 wrote to memory of 4188	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 4188	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 4188 wrote to memory of 2156	4188	msedge.exe	msedge.exe
PID 4188 wrote to memory of 2156	4188	msedge.exe	msedge.exe
PID 2476 wrote to memory of 4468	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 4468	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 4468 wrote to memory of 4100	4468	msedge.exe	msedge.exe
PID 4468 wrote to memory of 4100	4468	msedge.exe	msedge.exe
PID 2476 wrote to memory of 2292	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 2292	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2292 wrote to memory of 3800	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 3800	2292	msedge.exe	msedge.exe
PID 2476 wrote to memory of 2604	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2476 wrote to memory of 2604	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	msedge.exe
PID 2604 wrote to memory of 2272	2604	msedge.exe	msedge.exe
PID 2604 wrote to memory of 2272	2604	msedge.exe	msedge.exe
PID 2476 wrote to memory of 3752	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	F0geI.exe
PID 2476 wrote to memory of 3752	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	F0geI.exe
PID 2476 wrote to memory of 3752	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	F0geI.exe
PID 2476 wrote to memory of 3192	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	kukurzka9000.exe
PID 2476 wrote to memory of 3192	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	kukurzka9000.exe
PID 2476 wrote to memory of 3192	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	kukurzka9000.exe
PID 2476 wrote to memory of 1940	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	namdoitntn.exe
PID 2476 wrote to memory of 1940	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	namdoitntn.exe
PID 2476 wrote to memory of 1940	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	namdoitntn.exe
PID 2476 wrote to memory of 2500	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	real.exe
PID 2476 wrote to memory of 2500	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	real.exe
PID 2476 wrote to memory of 2500	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	real.exe
PID 2476 wrote to memory of 4688	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	safert44.exe
PID 2476 wrote to memory of 4688	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	safert44.exe
PID 2476 wrote to memory of 4688	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	safert44.exe
PID 2476 wrote to memory of 1420	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	tag.exe
PID 2476 wrote to memory of 1420	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	tag.exe
PID 2476 wrote to memory of 1420	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	tag.exe
PID 2476 wrote to memory of 4260	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	EU1.exe
PID 2476 wrote to memory of 4260	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	EU1.exe
PID 2476 wrote to memory of 4260	2476	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	EU1.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1972	4344	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
"C:\Users\Admin\AppData\Local\Temp\972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A3PL4
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14246233782800104539,2154114348232409727,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
3⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14246233782800104539,2154114348232409727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n7LH4
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,10599769009475402253,15385178715513301620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
3⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,10599769009475402253,15385178715513301620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
3⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
3⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
3⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
3⤵
PID:6408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
3⤵
PID:6608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
3⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
3⤵
PID:6712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
3⤵
PID:6784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
3⤵
PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 /prefetch:8
3⤵
PID:6964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6608 /prefetch:8
3⤵
PID:7080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
3⤵
PID:7132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
3⤵
PID:7148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8336 /prefetch:8
3⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff639fc5460,0x7ff639fc5470,0x7ff639fc5480
4⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8336 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3488 /prefetch:8
3⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:8
3⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7828372005818536379,11777995984631029521,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9208 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15722221690206271034,13989174265995841247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
3⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15722221690206271034,13989174265995841247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11163925809638833817,12798294938745863959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
3⤵
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11163925809638833817,12798294938745863959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5718926359405698891,5194377952167183386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5718926359405698891,5194377952167183386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RfaV4
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd542946f8,0x7ffd54294708,0x7ffd54294718
3⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4519160683734558863,10799103210285456202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 /prefetch:2
3⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,4519160683734558863,10799103210285456202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5432

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 552
3⤵
- Program crash
PID:6948

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:3192

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:4260

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3752 -ip 3752
1⤵
PID:6516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3692

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\msedgerecovery.exe
"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={1c576fbc-5354-40d9-a224-032940da6957} --system
2⤵
- Executes dropped EXE
PID:6868

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\MicrosoftEdgeUpdateSetup.exe
"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir3692_1964612258\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3708

C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU5B3A.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
4⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3148

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3432

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:6876

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:6076

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:6440

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTcuNjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTcuNjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEQxMUIzNUItOEE4Mi00N0EzLUE4MDMtQTE1NDQxQ0Q5MjlEfSIgdXNlcmlkPSJ7RDU1MEEzQTctOEZFRC00QzFCLUE2NkItMUYwRDE5MjAwRTU4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezkwRkEyOEM0LTk2MDYtNDRDQS05ODg5LTMxQTg5MzMwOTQwRn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xNTcuNjEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGluc3RhbGxfdGltZV9tcz0iODI4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
61f51370de492e1b8fd565c68aa3141d

SHA1
89da629358f5e7fd4da717a15fd72b74869af631

SHA256
19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

SHA512
8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
61f51370de492e1b8fd565c68aa3141d

SHA1
89da629358f5e7fd4da717a15fd72b74869af631

SHA256
19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

SHA512
8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
c334f2f742fc8f7c13dfa2a01da3f46a

SHA1
d020819927da87bc5499df52e12dc5211a09ef61

SHA256
92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

SHA512
43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
c334f2f742fc8f7c13dfa2a01da3f46a

SHA1
d020819927da87bc5499df52e12dc5211a09ef61

SHA256
92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

SHA512
43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
85ca788dc2178a2218b4cb9a3f7fb0f3

SHA1
e1bad29052e1321d7cc88fd021121e29a559b729

SHA256
49ffd6d1df9ce4fbeb009d42f7b5003ad6e111e3afa9b9f6b8df30c161038206

SHA512
9b9b06dea8083a676cc5769aa443f0291f02f85ead012e7a052afcc58a7123939213f5d92907823c4cebd9fcf043f5229a13be3d75e0db371f2144d3ab67e163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
85ca788dc2178a2218b4cb9a3f7fb0f3

SHA1
e1bad29052e1321d7cc88fd021121e29a559b729

SHA256
49ffd6d1df9ce4fbeb009d42f7b5003ad6e111e3afa9b9f6b8df30c161038206

SHA512
9b9b06dea8083a676cc5769aa443f0291f02f85ead012e7a052afcc58a7123939213f5d92907823c4cebd9fcf043f5229a13be3d75e0db371f2144d3ab67e163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
85ca788dc2178a2218b4cb9a3f7fb0f3

SHA1
e1bad29052e1321d7cc88fd021121e29a559b729

SHA256
49ffd6d1df9ce4fbeb009d42f7b5003ad6e111e3afa9b9f6b8df30c161038206

SHA512
9b9b06dea8083a676cc5769aa443f0291f02f85ead012e7a052afcc58a7123939213f5d92907823c4cebd9fcf043f5229a13be3d75e0db371f2144d3ab67e163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
85ca788dc2178a2218b4cb9a3f7fb0f3

SHA1
e1bad29052e1321d7cc88fd021121e29a559b729

SHA256
49ffd6d1df9ce4fbeb009d42f7b5003ad6e111e3afa9b9f6b8df30c161038206

SHA512
9b9b06dea8083a676cc5769aa443f0291f02f85ead012e7a052afcc58a7123939213f5d92907823c4cebd9fcf043f5229a13be3d75e0db371f2144d3ab67e163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
1b3e04bc1c8293bec5d9777dad09d8df

SHA1
fdd3d694a1993a3638faefa7af7d3edae3e52202

SHA256
d50def62ff9ab01e56dde64184940af72707c74e50531163b6b5ffd82eed10f4

SHA512
026b4f52cc8f2b64842f6cf53da5de1597c7e5bb8fd660c837822dfeae874e5f29aecc1c9bd2e1dbfeb8a9976de7817d4cc2fded394e302a325206bab4258364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
1b3e04bc1c8293bec5d9777dad09d8df

SHA1
fdd3d694a1993a3638faefa7af7d3edae3e52202

SHA256
d50def62ff9ab01e56dde64184940af72707c74e50531163b6b5ffd82eed10f4

SHA512
026b4f52cc8f2b64842f6cf53da5de1597c7e5bb8fd660c837822dfeae874e5f29aecc1c9bd2e1dbfeb8a9976de7817d4cc2fded394e302a325206bab4258364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
1b3e04bc1c8293bec5d9777dad09d8df

SHA1
fdd3d694a1993a3638faefa7af7d3edae3e52202

SHA256
d50def62ff9ab01e56dde64184940af72707c74e50531163b6b5ffd82eed10f4

SHA512
026b4f52cc8f2b64842f6cf53da5de1597c7e5bb8fd660c837822dfeae874e5f29aecc1c9bd2e1dbfeb8a9976de7817d4cc2fded394e302a325206bab4258364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
1b3e04bc1c8293bec5d9777dad09d8df

SHA1
fdd3d694a1993a3638faefa7af7d3edae3e52202

SHA256
d50def62ff9ab01e56dde64184940af72707c74e50531163b6b5ffd82eed10f4

SHA512
026b4f52cc8f2b64842f6cf53da5de1597c7e5bb8fd660c837822dfeae874e5f29aecc1c9bd2e1dbfeb8a9976de7817d4cc2fded394e302a325206bab4258364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
1b3e04bc1c8293bec5d9777dad09d8df

SHA1
fdd3d694a1993a3638faefa7af7d3edae3e52202

SHA256
d50def62ff9ab01e56dde64184940af72707c74e50531163b6b5ffd82eed10f4

SHA512
026b4f52cc8f2b64842f6cf53da5de1597c7e5bb8fd660c837822dfeae874e5f29aecc1c9bd2e1dbfeb8a9976de7817d4cc2fded394e302a325206bab4258364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
350bf115f2e2fd3b19d74575eaa1b540

SHA1
6e630a7ca93e5668abf28f63f8cafcd28614abbe

SHA256
a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d

SHA512
679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
007709614bb3de70288cedc2bb85bc6e

SHA1
2b0049ace9237c72d5b068a07246870fbae9a41b

SHA256
2159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1

SHA512
cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
323a8747edd41e3866775898abaf0118

SHA1
31e4a01cb5857f69063ff70925c7332e5f977c3e

SHA256
8c3a99739a5113d96cd5e93ea16aaf6545e1908694aca3520345ca60635d89d1

SHA512
afdefc77ba8622a231ea9115ef270beb5d20d3a1afbe71acca4099973998944c7ea3967669322ec346d546be330e849e0d6b3519d7951fd2ed21ff3497ef9b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f9d2b87a56feb981e7c6e2f85f03f450

SHA1
4f8d6e349dbaded96f52aa17e436e77b560ea2e6

SHA256
603963b45c4b6f263884acfdfc59d663b2c0fea5e577d610fea172ab4b5c638d

SHA512
51fa1af0439b22face5c0d1e221f82c15158f315dd1373788cf57b60b3eaade63fcf39764eb8b5fbf30b6725dac5915fa1c53c43eda50626147c822316f2f54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
17b9ba792e5b3d81a91d4653a4a4e7e9

SHA1
d11ff83ed99db82a36f94df860cbcf5643ec74a4

SHA256
2aa9ea714a52a89f6dd3432ff019453459faf959ab3c4a0f915d3913b987e4ed

SHA512
edfa2e238e06d674900a8e0e970773bae61043f8f21bcd5e4002a705f4c0d5908d9806f4331e961336dff50ec96bd78d2e36e927250910c42692a06a2c47ed85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ae1bd022c5c798ff855427da7bb70413

SHA1
3ec029904dfe670576115cc762701ef0d983b702

SHA256
61735423c542f3a84c9faad0fd0c5a1827eb6aaaea116708b751cec2426c245f

SHA512
ffed8cc1246d643e729671ae9dd47340859682f72022411069a272e764583ac1b145f6fab0f19bb81531b737cd325bf8f0bc663d7e3541ba16a5edcc6cdee876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0992c1d0d0449f10a2f799d16e94c23c

SHA1
08c005ab25de574341054b147054dfaf6cb6541f

SHA256
5be0707eb393ba4e6ba134bda1d192501e1ec333fc7a0d23e22f323b23a67df9

SHA512
9f322b3081ff934087cc0e30e2df16bed636e4bfbb6d7c8f06b2da3f5a47b22f4b2705f8206b68c1d6f0948ccadd09955fe572b6932e5fcb7187b057717710b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
bda6d09183d95b6e5ffbacaf351aaf58

SHA1
928d0b767f29c55b0717b84926f9750d182839d1

SHA256
af0fdbef2ba08bcece27af2cf787b0682154494e5813b9b0d6aef463d26681fa

SHA512
a78f0a6af278921a5b013af687d1f7afe1b0dd2e02316c85922cdc3eca61673e3926d2e3aad5888152823d3bae321e828e553366ba7c45a5bc26b28902fd7e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
bda6d09183d95b6e5ffbacaf351aaf58

SHA1
928d0b767f29c55b0717b84926f9750d182839d1

SHA256
af0fdbef2ba08bcece27af2cf787b0682154494e5813b9b0d6aef463d26681fa

SHA512
a78f0a6af278921a5b013af687d1f7afe1b0dd2e02316c85922cdc3eca61673e3926d2e3aad5888152823d3bae321e828e553366ba7c45a5bc26b28902fd7e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
17b9ba792e5b3d81a91d4653a4a4e7e9

SHA1
d11ff83ed99db82a36f94df860cbcf5643ec74a4

SHA256
2aa9ea714a52a89f6dd3432ff019453459faf959ab3c4a0f915d3913b987e4ed

SHA512
edfa2e238e06d674900a8e0e970773bae61043f8f21bcd5e4002a705f4c0d5908d9806f4331e961336dff50ec96bd78d2e36e927250910c42692a06a2c47ed85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f9d2b87a56feb981e7c6e2f85f03f450

SHA1
4f8d6e349dbaded96f52aa17e436e77b560ea2e6

SHA256
603963b45c4b6f263884acfdfc59d663b2c0fea5e577d610fea172ab4b5c638d

SHA512
51fa1af0439b22face5c0d1e221f82c15158f315dd1373788cf57b60b3eaade63fcf39764eb8b5fbf30b6725dac5915fa1c53c43eda50626147c822316f2f54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ae1bd022c5c798ff855427da7bb70413

SHA1
3ec029904dfe670576115cc762701ef0d983b702

SHA256
61735423c542f3a84c9faad0fd0c5a1827eb6aaaea116708b751cec2426c245f

SHA512
ffed8cc1246d643e729671ae9dd47340859682f72022411069a272e764583ac1b145f6fab0f19bb81531b737cd325bf8f0bc663d7e3541ba16a5edcc6cdee876

Download Submit
\??\pipe\LOCAL\crashpad_2292_XOTZXIINVNUOYCMJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2604_CUIDOAUAKHMUUSYB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4188_CLSLTSOWFVZZRCKL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4344_OSCKENJKUPUORGCS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4468_FLXCEPHLQROVPPBC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_616_BNJKALFOKJVKLPMY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/240-316-0x0000000000000000-mapping.dmp

Download
memory/616-131-0x0000000000000000-mapping.dmp

Download
memory/1340-315-0x0000000000000000-mapping.dmp

Download
memory/1420-178-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1420-299-0x00000000065F0000-0x0000000006640000-memory.dmp

Filesize
320KB

Download
memory/1420-292-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/1420-170-0x0000000000000000-mapping.dmp

Download
memory/1420-181-0x0000000005070000-0x0000000005688000-memory.dmp

Filesize
6.1MB

Download
memory/1420-182-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/1592-135-0x0000000000000000-mapping.dmp

Download
memory/1624-301-0x0000000000000000-mapping.dmp

Download
memory/1940-156-0x0000000000000000-mapping.dmp

Download
memory/1940-175-0x0000000000A70000-0x0000000000AB4000-memory.dmp

Filesize
272KB

Download
memory/1972-197-0x0000000000000000-mapping.dmp

Download
memory/2084-199-0x0000000000000000-mapping.dmp

Download
memory/2156-137-0x0000000000000000-mapping.dmp

Download
memory/2272-148-0x0000000000000000-mapping.dmp

Download
memory/2292-144-0x0000000000000000-mapping.dmp

Download
memory/2384-257-0x0000000000000000-mapping.dmp

Download
memory/2500-213-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2500-166-0x0000000000000000-mapping.dmp

Download
memory/2604-146-0x0000000000000000-mapping.dmp

Download
memory/3148-310-0x0000000000000000-mapping.dmp

Download
memory/3192-153-0x0000000000000000-mapping.dmp

Download
memory/3192-190-0x0000000002260000-0x0000000002276000-memory.dmp

Filesize
88KB

Download
memory/3192-196-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3432-311-0x0000000000000000-mapping.dmp

Download
memory/3436-300-0x0000000000000000-mapping.dmp

Download
memory/3444-306-0x0000000000000000-mapping.dmp

Download
memory/3524-130-0x0000000000000000-mapping.dmp

Download
memory/3708-308-0x0000000000000000-mapping.dmp

Download
memory/3752-212-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3752-208-0x0000000000703000-0x0000000000714000-memory.dmp

Filesize
68KB

Download
memory/3752-273-0x0000000000703000-0x0000000000714000-memory.dmp

Filesize
68KB

Download
memory/3752-246-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3752-150-0x0000000000000000-mapping.dmp

Download
memory/3752-284-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3752-285-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3800-145-0x0000000000000000-mapping.dmp

Download
memory/4100-142-0x0000000000000000-mapping.dmp

Download
memory/4188-136-0x0000000000000000-mapping.dmp

Download
memory/4260-174-0x0000000000000000-mapping.dmp

Download
memory/4344-134-0x0000000000000000-mapping.dmp

Download
memory/4408-304-0x0000000000000000-mapping.dmp

Download
memory/4412-133-0x0000000000000000-mapping.dmp

Download
memory/4420-132-0x0000000000000000-mapping.dmp

Download
memory/4468-141-0x0000000000000000-mapping.dmp

Download
memory/4576-309-0x0000000000000000-mapping.dmp

Download
memory/4688-245-0x0000000005160000-0x000000000519C000-memory.dmp

Filesize
240KB

Download
memory/4688-167-0x0000000000000000-mapping.dmp

Download
memory/4688-293-0x0000000006800000-0x0000000006DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4688-294-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4688-187-0x0000000005230000-0x000000000533A000-memory.dmp

Filesize
1.0MB

Download
memory/4688-295-0x0000000005FE0000-0x0000000006056000-memory.dmp

Filesize
472KB

Download
memory/4688-298-0x00000000089D0000-0x0000000008EFC000-memory.dmp

Filesize
5.2MB

Download
memory/4688-297-0x0000000006DB0000-0x0000000006F72000-memory.dmp

Filesize
1.8MB

Download
memory/4688-296-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/4688-173-0x0000000000730000-0x0000000000774000-memory.dmp

Filesize
272KB

Download
memory/5296-201-0x0000000000000000-mapping.dmp

Download
memory/5308-202-0x0000000000000000-mapping.dmp

Download
memory/5348-204-0x0000000000000000-mapping.dmp

Download
memory/5364-205-0x0000000000000000-mapping.dmp

Download
memory/5396-207-0x0000000000000000-mapping.dmp

Download
memory/5408-206-0x0000000000000000-mapping.dmp

Download
memory/5420-211-0x0000000000000000-mapping.dmp

Download
memory/5432-209-0x0000000000000000-mapping.dmp

Download
memory/5440-210-0x0000000000000000-mapping.dmp

Download
memory/5604-232-0x0000000000000000-mapping.dmp

Download
memory/5648-238-0x0000000000000000-mapping.dmp

Download
memory/5656-244-0x0000000000000000-mapping.dmp

Download
memory/5664-237-0x0000000000000000-mapping.dmp

Download
memory/5996-259-0x0000000000000000-mapping.dmp

Download
memory/6076-313-0x0000000000000000-mapping.dmp

Download
memory/6116-317-0x0000000000000000-mapping.dmp

Download
memory/6408-270-0x0000000000000000-mapping.dmp

Download
memory/6440-314-0x0000000000000000-mapping.dmp

Download
memory/6608-272-0x0000000000000000-mapping.dmp

Download
memory/6640-275-0x0000000000000000-mapping.dmp

Download
memory/6712-277-0x0000000000000000-mapping.dmp

Download
memory/6728-302-0x0000000000000000-mapping.dmp

Download
memory/6784-279-0x0000000000000000-mapping.dmp

Download
memory/6868-307-0x0000000000000000-mapping.dmp

Download
memory/6872-281-0x0000000000000000-mapping.dmp

Download
memory/6876-312-0x0000000000000000-mapping.dmp

Download
memory/6964-283-0x0000000000000000-mapping.dmp

Download
memory/7080-287-0x0000000000000000-mapping.dmp

Download
memory/7132-289-0x0000000000000000-mapping.dmp

Download
memory/7148-291-0x0000000000000000-mapping.dmp

Download