redline | 79ff85f42095cb721a36127f3e837a5e45a53645398215da960e15308879a58f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0341232d23900cb4c2a4de8c8618b887.exe
Size

980KB
MD5

0341232d23900cb4c2a4de8c8618b887
SHA1

2e1786e38ed0dab09220973160ea046d354343c8
SHA256

79ff85f42095cb721a36127f3e837a5e45a53645398215da960e15308879a58f
SHA512

4e46b36dacd53f8cc1431d0ab18ab54d0dbc6aad08637df41e9654fc12d369c7f4fb6976a8d79664a5d29fc7fbf97ddebb72adf1b0429e54843badf5924455f6

Score

10^/10

redline 4 @tag12312341 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

213.226.123.169:2014

Attributes

auth_value
5466def9b32e35b6a53d1117abb19867

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/4136-201-0x0000000000850000-0x0000000000894000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/6304-222-0x0000000000C90000-0x0000000000CD4000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
behavioral2/memory/6560-236-0x0000000000370000-0x0000000000390000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\default_usar.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\default_usar.exe	family_redline
behavioral2/memory/6788-249-0x00000000008B0000-0x00000000008D0000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exenuplat.exereal.exesafert44.exetag.exedefault_usar.exeEU1.exe

pid process

2888 F0geI.exe
4352 kukurzka9000.exe
4136 namdoitntn.exe
1932 nuplat.exe
5504 real.exe
6304 safert44.exe
6560 tag.exe
6788 default_usar.exe
6984 EU1.exe

pid	process
2888	F0geI.exe
4352	kukurzka9000.exe
4136	namdoitntn.exe
1932	nuplat.exe
5504	real.exe
6304	safert44.exe
6560	tag.exe
6788	default_usar.exe
6984	EU1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0341232d23900cb4c2a4de8c8618b887.exedefault_usar.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	0341232d23900cb4c2a4de8c8618b887.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	default_usar.exe

Loads dropped DLL 3 IoCs

Processes:

F0geI.exe

pid process

2888 F0geI.exe
2888 F0geI.exe
2888 F0geI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
2888	F0geI.exe
2888	F0geI.exe
2888	F0geI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 11 IoCs

Processes:

setup.exe0341232d23900cb4c2a4de8c8618b887.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220810200249.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	0341232d23900cb4c2a4de8c8618b887.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\edfcbab6-0375-4966-823d-b9692c6ecb4e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\default_usar.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\nuplat.exe	0341232d23900cb4c2a4de8c8618b887.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	0341232d23900cb4c2a4de8c8618b887.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4040 2888 WerFault.exe F0geI.exe

pid	pid_target	process	target process
4040	2888	WerFault.exe	F0geI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nuplat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nuplat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nuplat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exenuplat.exedefault_usar.exesafert44.exetag.exenamdoitntn.exeidentity_helper.exemsedge.exe

pid	process
1624	msedge.exe
1624	msedge.exe
4788	msedge.exe
4788	msedge.exe
4884	msedge.exe
4884	msedge.exe
1384	msedge.exe
1384	msedge.exe
1632	msedge.exe
1632	msedge.exe
1816	msedge.exe
1816	msedge.exe
6024	msedge.exe
6024	msedge.exe
1932	nuplat.exe
1932	nuplat.exe
6788	default_usar.exe
6788	default_usar.exe
6304	safert44.exe
6304	safert44.exe
6560	tag.exe
6560	tag.exe
4136	namdoitntn.exe
4136	namdoitntn.exe
6040	identity_helper.exe
6040	identity_helper.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe
1816	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

default_usar.exesafert44.exetag.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	6788	default_usar.exe
Token: SeDebugPrivilege	6304	safert44.exe
Token: SeDebugPrivilege	6560	tag.exe
Token: SeDebugPrivilege	4136	namdoitntn.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1816 msedge.exe
1816 msedge.exe
1816 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0341232d23900cb4c2a4de8c8618b887.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4224 wrote to memory of 1816	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 1816	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 2284	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 2284	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 4208	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 4208	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 1160	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 1160	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 1816 wrote to memory of 1308	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 1308	1816	msedge.exe	msedge.exe
PID 4208 wrote to memory of 4524	4208	msedge.exe	msedge.exe
PID 4208 wrote to memory of 4524	4208	msedge.exe	msedge.exe
PID 2284 wrote to memory of 2668	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 2668	2284	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1536	1160	msedge.exe	msedge.exe
PID 1160 wrote to memory of 1536	1160	msedge.exe	msedge.exe
PID 4224 wrote to memory of 864	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 864	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 864 wrote to memory of 3432	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3432	864	msedge.exe	msedge.exe
PID 4224 wrote to memory of 1936	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 1936	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 1936 wrote to memory of 5044	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 5044	1936	msedge.exe	msedge.exe
PID 4224 wrote to memory of 708	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 4224 wrote to memory of 708	4224	0341232d23900cb4c2a4de8c8618b887.exe	msedge.exe
PID 708 wrote to memory of 3848	708	msedge.exe	msedge.exe
PID 708 wrote to memory of 3848	708	msedge.exe	msedge.exe
PID 4224 wrote to memory of 2888	4224	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 4224 wrote to memory of 2888	4224	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 4224 wrote to memory of 2888	4224	0341232d23900cb4c2a4de8c8618b887.exe	F0geI.exe
PID 4224 wrote to memory of 4352	4224	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 4224 wrote to memory of 4352	4224	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 4224 wrote to memory of 4352	4224	0341232d23900cb4c2a4de8c8618b887.exe	kukurzka9000.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe
PID 1816 wrote to memory of 5012	1816	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\0341232d23900cb4c2a4de8c8618b887.exe
"C:\Users\Admin\AppData\Local\Temp\0341232d23900cb4c2a4de8c8618b887.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ4
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
3⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
3⤵
PID:6236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
3⤵
PID:6404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
3⤵
PID:6528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
3⤵
PID:6696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
3⤵
PID:6760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
3⤵
PID:6996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5952 /prefetch:8
3⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
3⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
3⤵
PID:6800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7844 /prefetch:8
3⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x254,0x258,0x25c,0x128,0x260,0x7ff621805460,0x7ff621805470,0x7ff621805480
4⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7844 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
3⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6024 /prefetch:8
3⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5300 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2120,1873601663016718128,8219691704590311664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8
3⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7700422201619941557,1214220061633856411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
3⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7700422201619941557,1214220061633856411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
2⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,2761428545269333285,7072148674073877970,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
3⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,2761428545269333285,7072148674073877970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,147643199320229689,10420264060213101404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
3⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,147643199320229689,10420264060213101404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1naEL4
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,16174585278825007416,1453294117265366655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
3⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,16174585278825007416,1453294117265366655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AuTZ4
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1077887449159752598,11049041100056681930,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
3⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1077887449159752598,11049041100056681930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
2⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff09e146f8,0x7fff09e14708,0x7fff09e14718
3⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,927529688519374169,14096409362718067909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
3⤵
PID:6180

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 760
3⤵
- Program crash
PID:4040

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:4352

C:\Program Files (x86)\Company\NewProduct\nuplat.exe
"C:\Program Files (x86)\Company\NewProduct\nuplat.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
PID:5504

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6304

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6560

C:\Program Files (x86)\Company\NewProduct\default_usar.exe
"C:\Program Files (x86)\Company\NewProduct\default_usar.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6788

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
PID:6984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2888 -ip 2888
1⤵
PID:5212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\default_usar.exe
Filesize
104KB

MD5
9794cca9468db118fd913036946b98f5

SHA1
4b322fd740797f9fbe00c653834adab1d8c7d495

SHA256
1bf559aeb4a734e84cee9a541edcda47e11023b8587d9e0cc60c27274e56003c

SHA512
09246a3967d2a3c43a33aec76d38f93f831a4ca7730ac1e9e800a18d0e07b2b0bcc480618f839790d595d16d8e3d440ba9cea7f5395e463c14e0fdb81b6a04de

Download Submit
C:\Program Files (x86)\Company\NewProduct\default_usar.exe
Filesize
104KB

MD5
9794cca9468db118fd913036946b98f5

SHA1
4b322fd740797f9fbe00c653834adab1d8c7d495

SHA256
1bf559aeb4a734e84cee9a541edcda47e11023b8587d9e0cc60c27274e56003c

SHA512
09246a3967d2a3c43a33aec76d38f93f831a4ca7730ac1e9e800a18d0e07b2b0bcc480618f839790d595d16d8e3d440ba9cea7f5395e463c14e0fdb81b6a04de

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
491KB

MD5
681d98300c552b8c470466d9e8328c8a

SHA1
d15f4a432a2abce96ba9ba74443e566c1ffb933f

SHA256
8bbc892aedc1424ca5c66677b465c826f867515a3fea28821d015edcee71c912

SHA512
b909975d0212d5a5a0cb2e2809ee02224aac729cb761be97a8e3be4ee0a1d7470946da8cf725953c1b2d71fb5fc9dc3c26fd74bce5db5cc0e91a106f8bded887

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\nuplat.exe
Filesize
287KB

MD5
17c42a0dad379448ee1e6b21c85e5ac9

SHA1
2fec7fbb4a47092f9c17cd5ebb509a6403cb6d69

SHA256
e080161f57d4eaaad9173b63219ba5a9c2c595324a6b3ffe96783db40839807b

SHA512
5ddfe9af625c54e417452fe582041cdd373b52d4ededbcba71a88050fd834bc8af822257f7ad606e89db3fde15be98f58c1d8ff139dac71d81a23f669617a189

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
97d70a58e490861249ab6a00e5d6147f

SHA1
3fd43941fa6009c0422cb9f6e9fa93008692318c

SHA256
6ca9a20848c9cc748cb947f724965eb2181e1c0c541b00959a5fdcfbdb2eb36a

SHA512
77ce9f54a2177331d54116024a47d3e863638597b9b0345eb2d241a2952332f69ad18a0d2b6be2d5cb8a84524f33c9ec78723bbd66ffa128850cc0a239c05404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ea6ce631f0dbc87fe530c4269861cca

SHA1
0836ec64123dacff7c804da0c6b413b358cb2986

SHA256
582a006caf5be200f4e74d18b5389bc447bea186f3f7d0ff3a436f2dbb9d44c8

SHA512
45b2eede98b7950f1296f09382dc004d71b5254ff634b6a70ded2de5915a26519f50db513d20c77359294aff423699bf602c308b1f917f1e822f2066cab1295e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7134c5f7a65d606c63a36922e587450

SHA1
c7aebb450811d36a3c31d504e545edcbde2c67ac

SHA256
d28f17c59dbd744081992eadfddc16c8539bd04ecc1fd7499397fab24380beee

SHA512
f6748400e89255259ab0979af56457b8449b846228386b035068b0d6d3e374652d0e33f0d33aa8c49aca739a9fa03a30583a6886e869aa919607e7da9bd36177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
30139380fc3d32c528223da2994f8c73

SHA1
515de603930d72d3cf9cada28759d25515841535

SHA256
aaeb0531880353dd8e17536435858e966abaac26470b1c9d16670eae6c8d77e8

SHA512
66d875a6945026ec385063e9c31ca12b3e781dd684edc668e6585a19f46e422c48b7bb818b1752588e2730db5c458f7aae2273f94a1db30de3c0ab899cc56fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
94d437de9b08399801dcd0dfcdff7fe3

SHA1
41c209170038db4fe26cc116d6f161ee5f004fbe

SHA256
c65dc4e87276390ad2ec0d17970fdb73b4b6f0a9af3f913ff5eeb893cde23d26

SHA512
97e811007adadbe035bb9d80309a66cb6ac000c647d61dc2927de201e5ac08a6c2ede54b63ff307d4bae0cfdab9fdeb27760e4f98dbf045d254937cf020abce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9a0cbc081c54dd0c4948c901c900f5d3

SHA1
bdd01cb01e23ce516c145b474d71d8fd02604f78

SHA256
d5bc5a5ba48395e49a35d627b94dfd93d6eb26e9640ef5a9f0b79cf6c8f8bcd3

SHA512
2d672018b091aaaf3131ca1c22f790dcb868da462a161d66d1c1a5607ad2298649e1a39967f145b62ecd0f833ed24cd241ec7b0b606f69f07c8e1502db4e5517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9635d542883cd0fd63c14ff7de336613

SHA1
79b9c5eb318ff03a409ea749b72805348722af2b

SHA256
ccf98095923581ca4136fc9f560e8d86bb41a8482eb240ba72e5fa2918be4446

SHA512
4e5a3c4f28ec1212a8f41f7cbc296ded4145bffa9a566e73077062980787cec4a6da3ec37e097d46c605b3457f0810d6258bebc013205dd97d2d1e93483500e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
b75631bb620d462b6b15d7b478e92f4c

SHA1
bdb703f7c4ec094ddfc7c7511d15aa0f2ebbf799

SHA256
2dbf947693c9b09685ee5028466ac2df2433e7041672bcdcdc132bd1700ea5e5

SHA512
79ebe971e29d88816264ccdef5078bc40fae88cd3e8624627b2736eeccc4c39e5e78bfe2a9ff1d64c9baad859f10d96a5cf6c09c0c393c636f08a2b122311a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
b75631bb620d462b6b15d7b478e92f4c

SHA1
bdb703f7c4ec094ddfc7c7511d15aa0f2ebbf799

SHA256
2dbf947693c9b09685ee5028466ac2df2433e7041672bcdcdc132bd1700ea5e5

SHA512
79ebe971e29d88816264ccdef5078bc40fae88cd3e8624627b2736eeccc4c39e5e78bfe2a9ff1d64c9baad859f10d96a5cf6c09c0c393c636f08a2b122311a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9a0cbc081c54dd0c4948c901c900f5d3

SHA1
bdd01cb01e23ce516c145b474d71d8fd02604f78

SHA256
d5bc5a5ba48395e49a35d627b94dfd93d6eb26e9640ef5a9f0b79cf6c8f8bcd3

SHA512
2d672018b091aaaf3131ca1c22f790dcb868da462a161d66d1c1a5607ad2298649e1a39967f145b62ecd0f833ed24cd241ec7b0b606f69f07c8e1502db4e5517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
30139380fc3d32c528223da2994f8c73

SHA1
515de603930d72d3cf9cada28759d25515841535

SHA256
aaeb0531880353dd8e17536435858e966abaac26470b1c9d16670eae6c8d77e8

SHA512
66d875a6945026ec385063e9c31ca12b3e781dd684edc668e6585a19f46e422c48b7bb818b1752588e2730db5c458f7aae2273f94a1db30de3c0ab899cc56fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
fbeacc7b98e183aa7cb90e8ab5eed09e

SHA1
ac9e8b3dcd5f94d324572dcb35872d84da3db774

SHA256
880763783312ba9db19bd9da83f0d1052e2ccd696607a118cd9e6a4ee72b0d34

SHA512
5367a89c436fbd48a2ecbdd5a283fcdbac742814d164b22d5a12227790802e02714e91f2932457ea7423d80756a015f099aaca9940eb9e5ee436389ffe90952e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
94d437de9b08399801dcd0dfcdff7fe3

SHA1
41c209170038db4fe26cc116d6f161ee5f004fbe

SHA256
c65dc4e87276390ad2ec0d17970fdb73b4b6f0a9af3f913ff5eeb893cde23d26

SHA512
97e811007adadbe035bb9d80309a66cb6ac000c647d61dc2927de201e5ac08a6c2ede54b63ff307d4bae0cfdab9fdeb27760e4f98dbf045d254937cf020abce2

Download Submit
\??\pipe\LOCAL\crashpad_1160_JCBRGXMVHOEMMZAI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1816_EKOYJZTIEVATBETA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1936_JOWXOZSNQAQADUJZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2284_EZGFYEMJKRKUPIVH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4208_MLBJPQBNWMSNJRQM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_864_FDHSXNGVCZJJGUEC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/708-152-0x0000000000000000-mapping.dmp

Download
memory/864-138-0x0000000000000000-mapping.dmp

Download
memory/1160-133-0x0000000000000000-mapping.dmp

Download
memory/1176-297-0x0000000000000000-mapping.dmp

Download
memory/1308-134-0x0000000000000000-mapping.dmp

Download
memory/1384-190-0x0000000000000000-mapping.dmp

Download
memory/1504-296-0x0000000000000000-mapping.dmp

Download
memory/1536-137-0x0000000000000000-mapping.dmp

Download
memory/1624-173-0x0000000000000000-mapping.dmp

Download
memory/1632-185-0x0000000000000000-mapping.dmp

Download
memory/1816-130-0x0000000000000000-mapping.dmp

Download
memory/1932-259-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1932-176-0x0000000000000000-mapping.dmp

Download
memory/1936-144-0x0000000000000000-mapping.dmp

Download
memory/2284-131-0x0000000000000000-mapping.dmp

Download
memory/2668-136-0x0000000000000000-mapping.dmp

Download
memory/2888-287-0x000000000077C000-0x000000000078D000-memory.dmp

Filesize
68KB

Download
memory/2888-226-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2888-155-0x0000000000000000-mapping.dmp

Download
memory/2888-227-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2888-225-0x000000000077C000-0x000000000078D000-memory.dmp

Filesize
68KB

Download
memory/2888-294-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2888-288-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3432-139-0x0000000000000000-mapping.dmp

Download
memory/3848-153-0x0000000000000000-mapping.dmp

Download
memory/4056-179-0x0000000000000000-mapping.dmp

Download
memory/4136-239-0x0000000006900000-0x0000000006F18000-memory.dmp

Filesize
6.1MB

Download
memory/4136-201-0x0000000000850000-0x0000000000894000-memory.dmp

Filesize
272KB

Download
memory/4136-246-0x0000000005FB0000-0x0000000005FEC000-memory.dmp

Filesize
240KB

Download
memory/4136-170-0x0000000000000000-mapping.dmp

Download
memory/4136-243-0x0000000005EA0000-0x0000000005FAA000-memory.dmp

Filesize
1.0MB

Download
memory/4188-301-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000000000-mapping.dmp

Download
memory/4264-172-0x0000000000000000-mapping.dmp

Download
memory/4268-177-0x0000000000000000-mapping.dmp

Download
memory/4352-159-0x0000000000000000-mapping.dmp

Download
memory/4352-257-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4352-258-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4464-180-0x0000000000000000-mapping.dmp

Download
memory/4492-191-0x0000000000000000-mapping.dmp

Download
memory/4524-135-0x0000000000000000-mapping.dmp

Download
memory/4740-304-0x0000000000000000-mapping.dmp

Download
memory/4788-186-0x0000000000000000-mapping.dmp

Download
memory/4884-183-0x0000000000000000-mapping.dmp

Download
memory/5004-302-0x0000000000000000-mapping.dmp

Download
memory/5012-168-0x0000000000000000-mapping.dmp

Download
memory/5044-150-0x0000000000000000-mapping.dmp

Download
memory/5252-299-0x0000000000000000-mapping.dmp

Download
memory/5488-204-0x0000000000000000-mapping.dmp

Download
memory/5504-200-0x0000000000000000-mapping.dmp

Download
memory/5588-281-0x0000000000000000-mapping.dmp

Download
memory/5816-210-0x0000000000000000-mapping.dmp

Download
memory/5848-209-0x0000000000000000-mapping.dmp

Download
memory/6024-212-0x0000000000000000-mapping.dmp

Download
memory/6040-295-0x0000000000000000-mapping.dmp

Download
memory/6180-215-0x0000000000000000-mapping.dmp

Download
memory/6236-217-0x0000000000000000-mapping.dmp

Download
memory/6304-241-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/6304-219-0x0000000000000000-mapping.dmp

Download
memory/6304-290-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/6304-285-0x0000000006D10000-0x00000000072B4000-memory.dmp

Filesize
5.6MB

Download
memory/6304-222-0x0000000000C90000-0x0000000000CD4000-memory.dmp

Filesize
272KB

Download
memory/6304-286-0x0000000005C40000-0x0000000005CD2000-memory.dmp

Filesize
584KB

Download
memory/6324-277-0x0000000000000000-mapping.dmp

Download
memory/6404-224-0x0000000000000000-mapping.dmp

Download
memory/6528-229-0x0000000000000000-mapping.dmp

Download
memory/6560-231-0x0000000000000000-mapping.dmp

Download
memory/6560-289-0x0000000005120000-0x000000000513E000-memory.dmp

Filesize
120KB

Download
memory/6560-284-0x0000000004F60000-0x0000000004FD6000-memory.dmp

Filesize
472KB

Download
memory/6560-291-0x0000000006560000-0x00000000065B0000-memory.dmp

Filesize
320KB

Download
memory/6560-292-0x0000000006780000-0x0000000006942000-memory.dmp

Filesize
1.8MB

Download
memory/6560-293-0x0000000006E80000-0x00000000073AC000-memory.dmp

Filesize
5.2MB

Download
memory/6560-236-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/6696-237-0x0000000000000000-mapping.dmp

Download
memory/6760-242-0x0000000000000000-mapping.dmp

Download
memory/6788-249-0x00000000008B0000-0x00000000008D0000-memory.dmp

Filesize
128KB

Download
memory/6788-244-0x0000000000000000-mapping.dmp

Download
memory/6800-283-0x0000000000000000-mapping.dmp

Download
memory/6984-251-0x0000000000000000-mapping.dmp

Download
memory/6996-253-0x0000000000000000-mapping.dmp

Download