Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe
Resource
win10v2004-20220721-en
General
-
Target
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe
-
Size
936KB
-
MD5
a3b0afc1b50c24f3760768789e6826ad
-
SHA1
e0efd1f147379c712553657e4ee07a4d62c8889f
-
SHA256
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110
-
SHA512
2d235b1d8b3f81a574218ed73e163a874b57dccb632e5828de1864c15e7d12ee2224813d74272bd2d6ea4698bf09becda987d09d060f5641a7783014e7a07f85
Malware Config
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
185.215.113.46:8223
-
auth_value
1c36b510dbc8ee0265942899b008d972
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://77.73.132.84
Extracted
redline
RuXa_RR88
insttaller.com:37143
-
auth_value
0d650b837937aa916d555af4efd041b0
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
raccoon
f0c8034c83808635df0d9d8726d1bfd6
http://45.95.11.158/
Signatures
-
Raccoon Stealer payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/5524-245-0x0000000002180000-0x0000000002196000-memory.dmp family_raccoon behavioral1/memory/5524-249-0x0000000000400000-0x00000000004B5000-memory.dmp family_raccoon behavioral1/memory/5524-284-0x0000000000400000-0x00000000004B5000-memory.dmp family_raccoon behavioral1/memory/5524-285-0x0000000000400000-0x00000000004B5000-memory.dmp family_raccoon behavioral1/memory/5720-287-0x00000000001E0000-0x00000000001EF000-memory.dmp family_raccoon behavioral1/memory/5720-288-0x0000000000400000-0x000000000062B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline behavioral1/memory/4112-177-0x0000000000C90000-0x0000000000CD4000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline behavioral1/memory/2164-184-0x0000000000AE0000-0x0000000000B24000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline behavioral1/memory/5376-193-0x0000000000B10000-0x0000000000B30000-memory.dmp family_redline behavioral1/memory/6092-240-0x0000000000DE0000-0x0000000000E00000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe family_redline C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe family_redline behavioral1/memory/5888-261-0x0000000000AC0000-0x0000000000AE0000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe family_redline C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline behavioral1/memory/2260-267-0x00000000002E0000-0x0000000000300000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
Processes:
namdoitntn.exereal.exesafert44.exetag.exekukurzka9000.exeF0geI.exeEU1.exeHappyRoot.exeffnameedit.exejshainx.exeMinecraftForge.exepid process 4112 namdoitntn.exe 4200 real.exe 2164 safert44.exe 5376 tag.exe 5524 kukurzka9000.exe 5720 F0geI.exe 5896 EU1.exe 6092 HappyRoot.exe 5888 ffnameedit.exe 2260 jshainx.exe 4128 MinecraftForge.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exejshainx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation jshainx.exe -
Loads dropped DLL 3 IoCs
Processes:
kukurzka9000.exepid process 5524 kukurzka9000.exe 5524 kukurzka9000.exe 5524 kukurzka9000.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 12 IoCs
Processes:
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exesetup.exedescription ioc process File opened for modification C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\EU1.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\082338f9-9ca1-48d2-997a-693b8d1475b3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220802133249.pma setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\tag.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5836 5720 WerFault.exe F0geI.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
real.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 real.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString real.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exetag.exesafert44.exejshainx.exeffnameedit.exeidentity_helper.exemsedge.exeHappyRoot.exepid process 2336 msedge.exe 2336 msedge.exe 4260 msedge.exe 4260 msedge.exe 3016 msedge.exe 3016 msedge.exe 556 msedge.exe 556 msedge.exe 764 msedge.exe 764 msedge.exe 4200 real.exe 4200 real.exe 5376 tag.exe 5376 tag.exe 2164 safert44.exe 2164 safert44.exe 2260 jshainx.exe 2260 jshainx.exe 4112 4112 5888 ffnameedit.exe 5888 ffnameedit.exe 5384 identity_helper.exe 5384 identity_helper.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 2216 msedge.exe 6092 HappyRoot.exe 6092 HappyRoot.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
tag.exesafert44.exejshainx.exeffnameedit.exeHappyRoot.exedescription pid process Token: SeDebugPrivilege 5376 tag.exe Token: SeDebugPrivilege 2164 safert44.exe Token: SeDebugPrivilege 2260 jshainx.exe Token: SeDebugPrivilege 4112 Token: SeDebugPrivilege 5888 ffnameedit.exe Token: SeDebugPrivilege 6092 HappyRoot.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 764 msedge.exe 764 msedge.exe 764 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 1956 wrote to memory of 1464 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 1464 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 764 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 764 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 764 wrote to memory of 3936 764 msedge.exe msedge.exe PID 764 wrote to memory of 3936 764 msedge.exe msedge.exe PID 1464 wrote to memory of 2024 1464 msedge.exe msedge.exe PID 1464 wrote to memory of 2024 1464 msedge.exe msedge.exe PID 1956 wrote to memory of 4028 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 4028 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 4028 wrote to memory of 3076 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 3076 4028 msedge.exe msedge.exe PID 1956 wrote to memory of 1432 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 1432 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1432 wrote to memory of 4988 1432 msedge.exe msedge.exe PID 1432 wrote to memory of 4988 1432 msedge.exe msedge.exe PID 1956 wrote to memory of 824 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 824 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 824 wrote to memory of 1504 824 msedge.exe msedge.exe PID 824 wrote to memory of 1504 824 msedge.exe msedge.exe PID 1956 wrote to memory of 2096 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 1956 wrote to memory of 2096 1956 b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 2096 wrote to memory of 2300 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 2300 2096 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe PID 764 wrote to memory of 4716 764 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe"C:\Users\Admin\AppData\Local\Temp\b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3510848109390373635,6273689625306476867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3510848109390373635,6273689625306476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7200 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff765d65460,0x7ff765d65470,0x7ff765d654804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8848 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4612 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2176,7426351030826793945,11777728794364689761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7128 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6520278467642082863,9607660690336134620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6520278467642082863,9607660690336134620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,1703051455337260956,14220038798820298003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n7LH42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nfDK42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 2643⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\EU1.exe"C:\Program Files (x86)\Company\NewProduct\EU1.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Ay2Z42⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe"C:\Program Files (x86)\Company\NewProduct\HappyRoot.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1R7EV42⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1R9EV42⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347183⤵
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe"C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc2b6346f8,0x7ffc2b634708,0x7ffc2b6347181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 57201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
289KB
MD598ee616bbbdae32bd744f31d48e46c72
SHA1fb2fe19e8890c7c4be116db78254fe3e1beb08a0
SHA2565e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb
SHA512fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
289KB
MD598ee616bbbdae32bd744f31d48e46c72
SHA1fb2fe19e8890c7c4be116db78254fe3e1beb08a0
SHA2565e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb
SHA512fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exeFilesize
107KB
MD50ad2faba47ab5f5933c240ece1ea7075
SHA16479bc7cedfc416856a700eda0d83bd5121b11f9
SHA25681cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b
SHA51272011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32
-
C:\Program Files (x86)\Company\NewProduct\HappyRoot.exeFilesize
107KB
MD50ad2faba47ab5f5933c240ece1ea7075
SHA16479bc7cedfc416856a700eda0d83bd5121b11f9
SHA25681cde4aac3ccad7227fa643504b0c7f26084951df6cb668671932079e13d923b
SHA51272011e4a5a0a90a79dcd2f8347afa2cf8dcd3f3feec2dbac8ab18941cd981f2f5aa730973d377f09f7b211b665be1974474d9e29ecabfba86cf12b3f188a3f32
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exeFilesize
107KB
MD56508c44c191fdfec8ef216075c3ed9db
SHA18edc1b2f02a21ab447449fa6f0f269508c293d92
SHA256e45a84d2f0c0ed2ede9220f4350deaaadfcf71b9e97c4ced97e383c3a3b9c917
SHA512c563e60500d783c783874586bd74562d7fd78855b219342ddb0743845ca13f1868dccc39c6460d558d5b644fdaa4688a66e1b454c06348025e8ced1f496038bf
-
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exeFilesize
107KB
MD56508c44c191fdfec8ef216075c3ed9db
SHA18edc1b2f02a21ab447449fa6f0f269508c293d92
SHA256e45a84d2f0c0ed2ede9220f4350deaaadfcf71b9e97c4ced97e383c3a3b9c917
SHA512c563e60500d783c783874586bd74562d7fd78855b219342ddb0743845ca13f1868dccc39c6460d558d5b644fdaa4688a66e1b454c06348025e8ced1f496038bf
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
699KB
MD5591fe3c4a7613d32309af09848c88233
SHA18170fce4ede2b4769fad1bec999db5d6a138fbb1
SHA2569f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d
SHA512e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
699KB
MD5591fe3c4a7613d32309af09848c88233
SHA18170fce4ede2b4769fad1bec999db5d6a138fbb1
SHA2569f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d
SHA512e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5a773a4d66bd5ab3efb4448e4ca400f23
SHA19f4a3e6d3c2935ed9d4e510f4866c54833c3b6fd
SHA256f945ec405a5296dbc9161f37ba434498701aa7b266df38c920fe8c1635ab5dd9
SHA51232ec2421361d449fde7eb0c71efbc55bccfb2af22964b5c252b66965f93689b387ea3404358bbe7b107294e38b5ca811d9669253249c2f93bbae0b3480ce6a43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD59307bc415baa330ada0c0a1fde364eae
SHA1374821fd80bb8f07477bd7816a9a99178d31d6bd
SHA25686e4ae41f54fb25da852bd1069f3064573b24a9783243ffbabb6f9c9627963d7
SHA512a8ea845bb75f4bc481d38156c16de7458058655a6642ff8f79543ccce9b6e6aabd0a14b82fe281c000c3de497517f106f1a1b0787ea43bdfeecf65ba4ab2ac31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD51ff63734312712b74dd7e957edfb0f82
SHA19ab909af965a66e658f6b299a668f974892b46c5
SHA25626131f1f4c8316752bed2832a9c080a595aa5b345fa6e1b0874c39ec76d73352
SHA512324523950d02fc50e7b62922a0d73feb11957dbc17dce4aabce8f63eb435abf45c5204ecc08348705d26e9172dfa352290d9c7e2e914e12baf5f6d63f8cb9473
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD597d70a58e490861249ab6a00e5d6147f
SHA13fd43941fa6009c0422cb9f6e9fa93008692318c
SHA2566ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a
SHA51277ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD597d70a58e490861249ab6a00e5d6147f
SHA13fd43941fa6009c0422cb9f6e9fa93008692318c
SHA2566ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a
SHA51277ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD597d70a58e490861249ab6a00e5d6147f
SHA13fd43941fa6009c0422cb9f6e9fa93008692318c
SHA2566ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a
SHA51277ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD597d70a58e490861249ab6a00e5d6147f
SHA13fd43941fa6009c0422cb9f6e9fa93008692318c
SHA2566ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a
SHA51277ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD597d70a58e490861249ab6a00e5d6147f
SHA13fd43941fa6009c0422cb9f6e9fa93008692318c
SHA2566ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a
SHA51277ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ea6ce631f0dbc87fe530c4269861cca
SHA10836ec64123dacff7c804da0c6b413b358cb2986
SHA256582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8
SHA51245b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a7134c5f7a65d606c63a36922e587450
SHA1c7aebb450811d36a3c31d504e545edcbde2c67ac
SHA256d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee
SHA512f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a7134c5f7a65d606c63a36922e587450
SHA1c7aebb450811d36a3c31d504e545edcbde2c67ac
SHA256d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee
SHA512f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a7134c5f7a65d606c63a36922e587450
SHA1c7aebb450811d36a3c31d504e545edcbde2c67ac
SHA256d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee
SHA512f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5408e649e4a83051951c9edfb1ceca7a4
SHA16f4104f5fe1f59564c90644c6a56a099adb2f92f
SHA256e799f73ec407a232b0556c1d54f0bdb28c20314c5002c882e55c8b1ed88b1598
SHA5120a05ad05d7e5c3630c35afa7601d9af016461ccef8fa3dcb16857c8d20bf2fb57bcf82305febf2a0a9d883e23ffe6de76bcf080dbc24cb1b0201a29c63ecc9d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5dc40de09264fcf11988c41adf8845d42
SHA1e76fa89651213d89f296977d37caf0319f4360ae
SHA256a79f4c7b255cfe57c4b8d8d9eefb32450d4aaace5fc01a669c3daeb8ef612cca
SHA5124ec4320fe2e90ce7b6acf20aea26366e9bccc2862ee10e789bdf0b3f806cf617067a36606324af9fd2e8cba2ef381fcffb11c12d5bddeb199cae0e1348af8122
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5e0678e25b19cbacd05b53252349630f4
SHA1625e007afb12e1e9dac451fffd092c2c783f6214
SHA256ed08557ed177f25c20e31d019bb594f6a66c06abae846e2a7a778b2ced4e5b46
SHA512a37435c8ae9ece94afa6e589055f29c12f9813078b913e7b4ec9babe2bc4b862c826beae5a933f2f6f84f08a2c8c1ec5da45a5634fa91c469fa50b7860f19c81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5dc40de09264fcf11988c41adf8845d42
SHA1e76fa89651213d89f296977d37caf0319f4360ae
SHA256a79f4c7b255cfe57c4b8d8d9eefb32450d4aaace5fc01a669c3daeb8ef612cca
SHA5124ec4320fe2e90ce7b6acf20aea26366e9bccc2862ee10e789bdf0b3f806cf617067a36606324af9fd2e8cba2ef381fcffb11c12d5bddeb199cae0e1348af8122
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5408e649e4a83051951c9edfb1ceca7a4
SHA16f4104f5fe1f59564c90644c6a56a099adb2f92f
SHA256e799f73ec407a232b0556c1d54f0bdb28c20314c5002c882e55c8b1ed88b1598
SHA5120a05ad05d7e5c3630c35afa7601d9af016461ccef8fa3dcb16857c8d20bf2fb57bcf82305febf2a0a9d883e23ffe6de76bcf080dbc24cb1b0201a29c63ecc9d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5e0678e25b19cbacd05b53252349630f4
SHA1625e007afb12e1e9dac451fffd092c2c783f6214
SHA256ed08557ed177f25c20e31d019bb594f6a66c06abae846e2a7a778b2ced4e5b46
SHA512a37435c8ae9ece94afa6e589055f29c12f9813078b913e7b4ec9babe2bc4b862c826beae5a933f2f6f84f08a2c8c1ec5da45a5634fa91c469fa50b7860f19c81
-
\??\pipe\LOCAL\crashpad_1464_SQVCDTNKPGCTKQYYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4028_UVRUFOYUMZQUSDPLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_764_AKHZZVXENMXKJDAAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/544-278-0x0000000000000000-mapping.dmp
-
memory/556-173-0x0000000000000000-mapping.dmp
-
memory/764-131-0x0000000000000000-mapping.dmp
-
memory/824-142-0x0000000000000000-mapping.dmp
-
memory/832-252-0x0000000000000000-mapping.dmp
-
memory/1432-137-0x0000000000000000-mapping.dmp
-
memory/1464-130-0x0000000000000000-mapping.dmp
-
memory/1492-297-0x0000000000000000-mapping.dmp
-
memory/1504-143-0x0000000000000000-mapping.dmp
-
memory/1992-263-0x0000000000000000-mapping.dmp
-
memory/2024-133-0x0000000000000000-mapping.dmp
-
memory/2096-145-0x0000000000000000-mapping.dmp
-
memory/2164-184-0x0000000000AE0000-0x0000000000B24000-memory.dmpFilesize
272KB
-
memory/2164-180-0x0000000000000000-mapping.dmp
-
memory/2216-300-0x0000000000000000-mapping.dmp
-
memory/2260-264-0x0000000000000000-mapping.dmp
-
memory/2260-267-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/2300-150-0x0000000000000000-mapping.dmp
-
memory/2324-294-0x0000000000000000-mapping.dmp
-
memory/2336-159-0x0000000000000000-mapping.dmp
-
memory/2520-172-0x0000000000000000-mapping.dmp
-
memory/3016-164-0x0000000000000000-mapping.dmp
-
memory/3076-135-0x0000000000000000-mapping.dmp
-
memory/3280-299-0x0000000000000000-mapping.dmp
-
memory/3344-295-0x0000000000000000-mapping.dmp
-
memory/3488-156-0x0000000000000000-mapping.dmp
-
memory/3512-185-0x0000000000000000-mapping.dmp
-
memory/3868-179-0x0000000000000000-mapping.dmp
-
memory/3936-132-0x0000000000000000-mapping.dmp
-
memory/4028-134-0x0000000000000000-mapping.dmp
-
memory/4112-274-0x0000000008C80000-0x0000000008CE6000-memory.dmpFilesize
408KB
-
memory/4112-219-0x0000000006490000-0x00000000064CC000-memory.dmpFilesize
240KB
-
memory/4112-154-0x0000000000000000-mapping.dmp
-
memory/4112-270-0x0000000008FA0000-0x0000000009544000-memory.dmpFilesize
5.6MB
-
memory/4112-272-0x0000000007700000-0x0000000007776000-memory.dmpFilesize
472KB
-
memory/4112-177-0x0000000000C90000-0x0000000000CD4000-memory.dmpFilesize
272KB
-
memory/4112-281-0x0000000008CF0000-0x0000000008D40000-memory.dmpFilesize
320KB
-
memory/4112-273-0x00000000062F0000-0x000000000630E000-memory.dmpFilesize
120KB
-
memory/4112-271-0x0000000007660000-0x00000000076F2000-memory.dmpFilesize
584KB
-
memory/4128-289-0x0000000000000000-mapping.dmp
-
memory/4128-160-0x0000000000000000-mapping.dmp
-
memory/4128-290-0x0000000000DE0000-0x0000000001034000-memory.dmpFilesize
2.3MB
-
memory/4128-292-0x00007FFC26C20000-0x00007FFC276E1000-memory.dmpFilesize
10.8MB
-
memory/4128-291-0x00007FFC26C20000-0x00007FFC276E1000-memory.dmpFilesize
10.8MB
-
memory/4200-202-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/4200-169-0x0000000000000000-mapping.dmp
-
memory/4260-161-0x0000000000000000-mapping.dmp
-
memory/4692-302-0x0000000000000000-mapping.dmp
-
memory/4716-152-0x0000000000000000-mapping.dmp
-
memory/4988-140-0x0000000000000000-mapping.dmp
-
memory/5184-251-0x0000000000000000-mapping.dmp
-
memory/5300-269-0x0000000000000000-mapping.dmp
-
memory/5360-190-0x0000000000000000-mapping.dmp
-
memory/5376-211-0x0000000005490000-0x000000000559A000-memory.dmpFilesize
1.0MB
-
memory/5376-207-0x0000000005360000-0x0000000005372000-memory.dmpFilesize
72KB
-
memory/5376-204-0x00000000058C0000-0x0000000005ED8000-memory.dmpFilesize
6.1MB
-
memory/5376-283-0x0000000007710000-0x0000000007C3C000-memory.dmpFilesize
5.2MB
-
memory/5376-193-0x0000000000B10000-0x0000000000B30000-memory.dmpFilesize
128KB
-
memory/5376-282-0x0000000007010000-0x00000000071D2000-memory.dmpFilesize
1.8MB
-
memory/5376-189-0x0000000000000000-mapping.dmp
-
memory/5384-293-0x0000000000000000-mapping.dmp
-
memory/5424-195-0x0000000000000000-mapping.dmp
-
memory/5524-285-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5524-245-0x0000000002180000-0x0000000002196000-memory.dmpFilesize
88KB
-
memory/5524-197-0x0000000000000000-mapping.dmp
-
memory/5524-284-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5524-249-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5540-199-0x0000000000000000-mapping.dmp
-
memory/5612-253-0x0000000000000000-mapping.dmp
-
memory/5620-256-0x0000000000000000-mapping.dmp
-
memory/5704-208-0x0000000000000000-mapping.dmp
-
memory/5712-280-0x0000000000000000-mapping.dmp
-
memory/5716-254-0x0000000000000000-mapping.dmp
-
memory/5720-286-0x00000000007F3000-0x0000000000804000-memory.dmpFilesize
68KB
-
memory/5720-287-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/5720-288-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/5720-209-0x0000000000000000-mapping.dmp
-
memory/5784-214-0x0000000000000000-mapping.dmp
-
memory/5812-276-0x0000000000000000-mapping.dmp
-
memory/5888-257-0x0000000000000000-mapping.dmp
-
memory/5888-261-0x0000000000AC0000-0x0000000000AE0000-memory.dmpFilesize
128KB
-
memory/5896-221-0x0000000000000000-mapping.dmp
-
memory/6044-304-0x0000000000000000-mapping.dmp
-
memory/6076-231-0x0000000000000000-mapping.dmp
-
memory/6092-240-0x0000000000DE0000-0x0000000000E00000-memory.dmpFilesize
128KB
-
memory/6092-233-0x0000000000000000-mapping.dmp
-
memory/6116-235-0x0000000000000000-mapping.dmp