privateloader | 1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2022 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
Size

1.2MB
MD5

639d06b10139df65ffdacdc7ad8edf30
SHA1

a8917241f1c134c97cb5a145d3226ea29bbfe517
SHA256

1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244
SHA512

49d4d6fa9088246c127639f06242d2ce7c48f2f2131637836756ad74fab321df88f1b6989ac2899dd1cbda4b9390ff5ae4ce917d38d834bc055b25b53619debb

Score

10^/10

privateloader raccoon redline 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 alex f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer loader persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

alex

185.106.92.128:16509

Attributes

auth_value
4f79d5b8f5aae9e19c9693489b4872c0

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

185.215.113.46:8223

Attributes

auth_value
1c36b510dbc8ee0265942899b008d972

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.84

rc4.plain

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://193.233.177.215/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

rc4.plain

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5956-255-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral1/memory/5956-249-0x00000000026C0000-0x00000000026D6000-memory.dmp	family_raccoon
behavioral1/memory/5956-286-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral1/memory/6076-293-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon
behavioral1/memory/6076-292-0x00000000001E0000-0x00000000001EF000-memory.dmp	family_raccoon
behavioral1/memory/5956-296-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 15 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe	family_redline
behavioral1/memory/4708-192-0x00000000001C0000-0x0000000000204000-memory.dmp	family_redline
behavioral1/memory/4736-189-0x0000000000650000-0x0000000000670000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/5344-199-0x0000000000130000-0x0000000000174000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
behavioral1/memory/5716-205-0x00000000002D0000-0x00000000002F0000-memory.dmp	family_redline
behavioral1/memory/6444-261-0x0000000000D80000-0x0000000000DA0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	family_redline

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

namdoitntn.exereal.exeRoman_12020.exesafert44.exetag.exekukurzka9000.exeF0geI.exeg3rgg.exeEU1.exeHappyRoot.exe

pid	process
4708	namdoitntn.exe
796	real.exe
4736	Roman_12020.exe
5344	safert44.exe
5716	tag.exe
5956	kukurzka9000.exe
6076	F0geI.exe
5272	g3rgg.exe
6204	EU1.exe
6444	HappyRoot.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe

Loads dropped DLL 3 IoCs

Processes:

kukurzka9000.exe

pid process

5956 kukurzka9000.exe
5956 kukurzka9000.exe
5956 kukurzka9000.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
5956	kukurzka9000.exe
5956	kukurzka9000.exe
5956	kukurzka9000.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 12 IoCs

Processes:

1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\g3rgg.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220801155359.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c6353427-a72d-4df7-8958-4380071d8a96.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5288 6076 WerFault.exe F0geI.exe
4788 5272 WerFault.exe g3rgg.exe

pid	pid_target	process	target process
5288	6076	WerFault.exe	F0geI.exe
4788	5272	WerFault.exe	g3rgg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exetag.exeRoman_12020.exesafert44.exenamdoitntn.exeidentity_helper.exeHappyRoot.exemsedge.exe

pid	process
2312	msedge.exe
2312	msedge.exe
4616	msedge.exe
4616	msedge.exe
2016	msedge.exe
2016	msedge.exe
1240	msedge.exe
1240	msedge.exe
5188	msedge.exe
5188	msedge.exe
4084	msedge.exe
4084	msedge.exe
796	real.exe
796	real.exe
5716	tag.exe
5716	tag.exe
4736	Roman_12020.exe
4736	Roman_12020.exe
5344	safert44.exe
5344	safert44.exe
4708	namdoitntn.exe
4708	namdoitntn.exe
6508	identity_helper.exe
6508	identity_helper.exe
6444	HappyRoot.exe
6444	HappyRoot.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tag.exeRoman_12020.exesafert44.exenamdoitntn.exeHappyRoot.exe

description	pid	process
Token: SeDebugPrivilege	5716	tag.exe
Token: SeDebugPrivilege	4736	Roman_12020.exe
Token: SeDebugPrivilege	5344	safert44.exe
Token: SeDebugPrivilege	4708	namdoitntn.exe
Token: SeDebugPrivilege	6444	HappyRoot.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4084 msedge.exe
4084 msedge.exe
4084 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 932 wrote to memory of 4332	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 4332	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 4084	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 4084	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 1132	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 1132	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 616	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 616	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 4084 wrote to memory of 3988	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 3988	4084	msedge.exe	msedge.exe
PID 1132 wrote to memory of 3204	1132	msedge.exe	msedge.exe
PID 1132 wrote to memory of 3204	1132	msedge.exe	msedge.exe
PID 4332 wrote to memory of 3856	4332	msedge.exe	msedge.exe
PID 4332 wrote to memory of 3856	4332	msedge.exe	msedge.exe
PID 616 wrote to memory of 1300	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 1300	616	msedge.exe	msedge.exe
PID 932 wrote to memory of 320	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 320	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 320 wrote to memory of 380	320	msedge.exe	msedge.exe
PID 320 wrote to memory of 380	320	msedge.exe	msedge.exe
PID 932 wrote to memory of 2284	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 932 wrote to memory of 2284	932	1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe	msedge.exe
PID 2284 wrote to memory of 1640	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 1640	2284	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe
PID 4084 wrote to memory of 4836	4084	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe
"C:\Users\Admin\AppData\Local\Temp\1459f8148aff6502cfc065c79b94c2059304ce9b11820cf6b2cf7ed0c2224244.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2630972211624940190,13380853214089492211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
3⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2630972211624940190,13380853214089492211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
3⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
3⤵
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
3⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
3⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
3⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
3⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
3⤵
PID:6092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
3⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
3⤵
PID:6456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
3⤵
PID:6592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 /prefetch:8
3⤵
PID:6688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
3⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
3⤵
PID:7068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
3⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff68f735460,0x7ff68f735470,0x7ff68f735480
4⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8408 /prefetch:8
3⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:8
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=212 /prefetch:8
3⤵
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8228 /prefetch:8
3⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8488 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1928,12655649931732070623,12017257921103872617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
3⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6281866753102832683,6409945599430357606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
3⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6281866753102832683,6409945599430357606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12083036396669344510,1698863568548212980,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
3⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12083036396669344510,1698863568548212980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n7LH4
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,425401995252855353,14653198745103625438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,425401995252855353,14653198745103625438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
3⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nfDK4
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:1640

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
"C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5716

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5956

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 552
3⤵
- Program crash
PID:5288

C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
"C:\Program Files (x86)\Company\NewProduct\g3rgg.exe"
2⤵
- Executes dropped EXE
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 1804
3⤵
- Program crash
PID:4788

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:6204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nzwK4
2⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:6428

C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
"C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Ay2Z4
2⤵
PID:6928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
3⤵
PID:6952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdd3f446f8,0x7ffdd3f44708,0x7ffdd3f44718
1⤵
PID:1300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6076 -ip 6076
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5272 -ip 5272
1⤵
PID:6524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
98ee616bbbdae32bd744f31d48e46c72

SHA1
fb2fe19e8890c7c4be116db78254fe3e1beb08a0

SHA256
5e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb

SHA512
fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
98ee616bbbdae32bd744f31d48e46c72

SHA1
fb2fe19e8890c7c4be116db78254fe3e1beb08a0

SHA256
5e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb

SHA512
fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
Filesize
107KB

MD5
0ad2faba47ab5f5933c240ece1ea7075

SHA1
6479bc7cedfc416856a700eda0d83bd5121b11f9

SHA256
81cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b

SHA512
72011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32

Download Submit
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
Filesize
107KB

MD5
0ad2faba47ab5f5933c240ece1ea7075

SHA1
6479bc7cedfc416856a700eda0d83bd5121b11f9

SHA256
81cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b

SHA512
72011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32

Download Submit
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
Filesize
107KB

MD5
ba055c9213817647673b72f9ea898de9

SHA1
e45a767b0fb77920d28198169f4e7d16809b9c9a

SHA256
d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

SHA512
6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

Download Submit
C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
Filesize
107KB

MD5
ba055c9213817647673b72f9ea898de9

SHA1
e45a767b0fb77920d28198169f4e7d16809b9c9a

SHA256
d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

SHA512
6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

Download Submit
C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
Filesize
386KB

MD5
59be2ebcf6516dd07ee5df8eae402523

SHA1
e4e5b949a0c9721e4c89f124750d8a97e4d96c7e

SHA256
d2952be5c81f4135c0953b7b36677704f24f4d780de268ce6b67a44a6f15419a

SHA512
9148e9a303a3562f9552da8fa6cdd3c1d4034be31d20968a8dc51904c0d4cf167c0cdfa0d6ceac0ec0a24a975b8c04de9a1d4d67f0056dce810ad4e5b83215d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
Filesize
386KB

MD5
59be2ebcf6516dd07ee5df8eae402523

SHA1
e4e5b949a0c9721e4c89f124750d8a97e4d96c7e

SHA256
d2952be5c81f4135c0953b7b36677704f24f4d780de268ce6b67a44a6f15419a

SHA512
9148e9a303a3562f9552da8fa6cdd3c1d4034be31d20968a8dc51904c0d4cf167c0cdfa0d6ceac0ec0a24a975b8c04de9a1d4d67f0056dce810ad4e5b83215d2

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
c334f2f742fc8f7c13dfa2a01da3f46a

SHA1
d020819927da87bc5499df52e12dc5211a09ef61

SHA256
92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

SHA512
43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
c334f2f742fc8f7c13dfa2a01da3f46a

SHA1
d020819927da87bc5499df52e12dc5211a09ef61

SHA256
92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

SHA512
43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
30c3f5945fa2efbbfa7f60fd0bf17366

SHA1
fb7d52747327de5f4ca4e473b10956411f03e0fc

SHA256
4dc42d0c7c1c309738c4d536cc248479aefaa96cfb87812c2c026bb2309f222c

SHA512
ecb4f91cd41a628ef6c02e9d10605b0d7cd73e0ec85db8e37b240e341ed4caf03deb2e76f283abaffa34ea8fef3bba0cae035d7a1c20226db11f01c81c303199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
be2d50678040fe8c210d763a9dde8fb1

SHA1
a9a1a0cf09dc12ec0a969b9142ed67f9c79594db

SHA256
fd28b1a9af74d75b6252f109f7ac7a962986d12100b89653cd1e2fd7fa74e9f4

SHA512
eae808975c404c67b3e3e41f576e94ce2885285e185143dfbdade74e7cbdd1af81a863a39f1fd3f42193ca0bbea3c80c0658e2fca39e538ec5d896b1d0e75ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7134c5f7a65d606c63a36922e587450

SHA1
c7aebb450811d36a3c31d504e545edcbde2c67ac

SHA256
d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee

SHA512
f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
6694cac8e5055dca8deaecbef6067707

SHA1
6d391b0c6d7b0a5a5e8235b186cc52d1056f56c4

SHA256
853bca4966e67dd2100b3a91bc47e050df9d36d02d080e60b8bf83e2f92996d0

SHA512
5f9e58c4a209468f007dcd68f864858776036312cbf61948713a43021f65aa4502feb3b9cf6004fa199f4500517ca2e0cb683efc6f7fef48c0026d8e8ec90861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
01e0cb7c50d56e5a9f319a79d73c6e10

SHA1
c28c907d2b654ac209195c447e600c4928c1c739

SHA256
14954b74dcfa86ad3ac52a3f9ea36ce8ad9f8dc302ef5f7192527036e3bb2c4d

SHA512
161d24bd2a07cef9d51ae3e7938d201b84814e8bb7266d08e41564774aa52c41761ef10582b0a33bb8bf3f4437b505caccb3170b6fad02c6f6b949fc522439dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
794c98943b63aaefa1550f1c3d485c21

SHA1
428011625bb89ab03cefbde615357848541a53fe

SHA256
bbae333d35f1b19b111ef232b50ddf51a3849372f8c8523cce3c01abea2869fb

SHA512
85f8d35edf1a7642f468b0145de231bfc6f5f1843d57381a12542e272f39596f3ec4cffa1ca97f7ace304e95c794dcf3eef6f9a940b8e57656b7d25adb9d5e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
01e0cb7c50d56e5a9f319a79d73c6e10

SHA1
c28c907d2b654ac209195c447e600c4928c1c739

SHA256
14954b74dcfa86ad3ac52a3f9ea36ce8ad9f8dc302ef5f7192527036e3bb2c4d

SHA512
161d24bd2a07cef9d51ae3e7938d201b84814e8bb7266d08e41564774aa52c41761ef10582b0a33bb8bf3f4437b505caccb3170b6fad02c6f6b949fc522439dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9ba14331ddbbd290945cb10417249ada

SHA1
b9ba0eab5ba53ad87004b2ff26c4b5d7f35d721e

SHA256
85573fd2a3bbf39adfbf5fd200ce1156a0641a2cb2fd5b292019ed22733bcd56

SHA512
662f3921e71ebf50939760df9e5711e99d1f404b2180f6f1cc9f4c3b6357fc7a04c310c79b9e0d6055ab202e43f94a050c16bdf7cdae7ef3c22d39e35957b2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9ba14331ddbbd290945cb10417249ada

SHA1
b9ba0eab5ba53ad87004b2ff26c4b5d7f35d721e

SHA256
85573fd2a3bbf39adfbf5fd200ce1156a0641a2cb2fd5b292019ed22733bcd56

SHA512
662f3921e71ebf50939760df9e5711e99d1f404b2180f6f1cc9f4c3b6357fc7a04c310c79b9e0d6055ab202e43f94a050c16bdf7cdae7ef3c22d39e35957b2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
6694cac8e5055dca8deaecbef6067707

SHA1
6d391b0c6d7b0a5a5e8235b186cc52d1056f56c4

SHA256
853bca4966e67dd2100b3a91bc47e050df9d36d02d080e60b8bf83e2f92996d0

SHA512
5f9e58c4a209468f007dcd68f864858776036312cbf61948713a43021f65aa4502feb3b9cf6004fa199f4500517ca2e0cb683efc6f7fef48c0026d8e8ec90861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
794c98943b63aaefa1550f1c3d485c21

SHA1
428011625bb89ab03cefbde615357848541a53fe

SHA256
bbae333d35f1b19b111ef232b50ddf51a3849372f8c8523cce3c01abea2869fb

SHA512
85f8d35edf1a7642f468b0145de231bfc6f5f1843d57381a12542e272f39596f3ec4cffa1ca97f7ace304e95c794dcf3eef6f9a940b8e57656b7d25adb9d5e0e

Download Submit
\??\pipe\LOCAL\crashpad_1132_AFUFDGUQRPEFCKZO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_320_HZNDHDNZNXZUBDVK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4084_LANABBQMISROFLXK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4332_DZGHOLVZUZLEMKVQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_616_RPHVZHAIXJXFHDTV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/320-141-0x0000000000000000-mapping.dmp

Download
memory/380-142-0x0000000000000000-mapping.dmp

Download
memory/528-168-0x0000000000000000-mapping.dmp

Download
memory/616-133-0x0000000000000000-mapping.dmp

Download
memory/796-236-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/796-176-0x0000000000000000-mapping.dmp

Download
memory/1116-303-0x0000000000000000-mapping.dmp

Download
memory/1132-132-0x0000000000000000-mapping.dmp

Download
memory/1188-305-0x0000000000000000-mapping.dmp

Download
memory/1240-183-0x0000000000000000-mapping.dmp

Download
memory/1300-137-0x0000000000000000-mapping.dmp

Download
memory/1408-310-0x0000000000000000-mapping.dmp

Download
memory/1640-149-0x0000000000000000-mapping.dmp

Download
memory/2016-164-0x0000000000000000-mapping.dmp

Download
memory/2284-148-0x0000000000000000-mapping.dmp

Download
memory/2312-167-0x0000000000000000-mapping.dmp

Download
memory/2520-298-0x0000000000000000-mapping.dmp

Download
memory/3164-308-0x0000000000000000-mapping.dmp

Download
memory/3204-135-0x0000000000000000-mapping.dmp

Download
memory/3500-299-0x0000000000000000-mapping.dmp

Download
memory/3856-136-0x0000000000000000-mapping.dmp

Download
memory/3988-134-0x0000000000000000-mapping.dmp

Download
memory/4024-161-0x0000000000000000-mapping.dmp

Download
memory/4084-131-0x0000000000000000-mapping.dmp

Download
memory/4272-301-0x0000000000000000-mapping.dmp

Download
memory/4332-130-0x0000000000000000-mapping.dmp

Download
memory/4564-184-0x0000000000000000-mapping.dmp

Download
memory/4616-162-0x0000000000000000-mapping.dmp

Download
memory/4660-307-0x0000000000000000-mapping.dmp

Download
memory/4708-280-0x0000000006D10000-0x0000000006D2E000-memory.dmp

Filesize
120KB

Download
memory/4708-279-0x0000000006C70000-0x0000000006CE6000-memory.dmp

Filesize
472KB

Download
memory/4708-159-0x0000000000000000-mapping.dmp

Download
memory/4708-278-0x0000000007FB0000-0x0000000008042000-memory.dmp

Filesize
584KB

Download
memory/4708-283-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4708-276-0x0000000008560000-0x0000000008B04000-memory.dmp

Filesize
5.6MB

Download
memory/4708-192-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/4736-189-0x0000000000650000-0x0000000000670000-memory.dmp

Filesize
128KB

Download
memory/4736-231-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/4736-218-0x0000000005470000-0x0000000005A88000-memory.dmp

Filesize
6.1MB

Download
memory/4736-182-0x0000000000000000-mapping.dmp

Download
memory/4836-155-0x0000000000000000-mapping.dmp

Download
memory/4916-178-0x0000000000000000-mapping.dmp

Download
memory/5100-158-0x0000000000000000-mapping.dmp

Download
memory/5188-188-0x0000000000000000-mapping.dmp

Download
memory/5272-295-0x0000000000739000-0x000000000075F000-memory.dmp

Filesize
152KB

Download
memory/5272-288-0x0000000000739000-0x000000000075F000-memory.dmp

Filesize
152KB

Download
memory/5272-225-0x0000000000000000-mapping.dmp

Download
memory/5272-290-0x00000000020C0000-0x0000000002119000-memory.dmp

Filesize
356KB

Download
memory/5272-289-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5272-294-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5320-194-0x0000000000000000-mapping.dmp

Download
memory/5344-199-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/5344-193-0x0000000000000000-mapping.dmp

Download
memory/5344-223-0x0000000004D20000-0x0000000004E2A000-memory.dmp

Filesize
1.0MB

Download
memory/5372-224-0x0000000000000000-mapping.dmp

Download
memory/5468-200-0x0000000000000000-mapping.dmp

Download
memory/5716-284-0x0000000006500000-0x0000000006550000-memory.dmp

Filesize
320KB

Download
memory/5716-220-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/5716-285-0x0000000006720000-0x00000000068E2000-memory.dmp

Filesize
1.8MB

Download
memory/5716-287-0x0000000006E20000-0x000000000734C000-memory.dmp

Filesize
5.2MB

Download
memory/5716-205-0x00000000002D0000-0x00000000002F0000-memory.dmp

Filesize
128KB

Download
memory/5716-201-0x0000000000000000-mapping.dmp

Download
memory/5812-206-0x0000000000000000-mapping.dmp

Download
memory/5956-296-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5956-286-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5956-249-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download
memory/5956-255-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5956-209-0x0000000000000000-mapping.dmp

Download
memory/5964-210-0x0000000000000000-mapping.dmp

Download
memory/6028-214-0x0000000000000000-mapping.dmp

Download
memory/6076-216-0x0000000000000000-mapping.dmp

Download
memory/6076-291-0x00000000007D3000-0x00000000007E4000-memory.dmp

Filesize
68KB

Download
memory/6076-293-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/6076-292-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/6092-217-0x0000000000000000-mapping.dmp

Download
memory/6204-230-0x0000000000000000-mapping.dmp

Download
memory/6376-245-0x0000000000000000-mapping.dmp

Download
memory/6428-248-0x0000000000000000-mapping.dmp

Download
memory/6444-250-0x0000000000000000-mapping.dmp

Download
memory/6444-261-0x0000000000D80000-0x0000000000DA0000-memory.dmp

Filesize
128KB

Download
memory/6456-254-0x0000000000000000-mapping.dmp

Download
memory/6508-297-0x0000000000000000-mapping.dmp

Download
memory/6592-265-0x0000000000000000-mapping.dmp

Download
memory/6688-269-0x0000000000000000-mapping.dmp

Download
memory/6844-274-0x0000000000000000-mapping.dmp

Download
memory/6928-275-0x0000000000000000-mapping.dmp

Download
memory/6952-277-0x0000000000000000-mapping.dmp

Download
memory/7068-282-0x0000000000000000-mapping.dmp

Download